M1038: Execution Prevention
Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:
Application Control:
- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)
Script Blocking:
- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)
Executable Blocking:
- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.
Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
Analyst context for executives and security teams
Execution Prevention is a control family for stopping unapproved applications, scripts, binaries, or suspicious runtime behavior before they can run. Its business value is reducing the chance that a malicious file, renamed utility, script, or abused interpreter becomes an incident. For leaders, the key question is not whether a tool exists, but whether allowlists, script controls, and execution blocking are enforced on the systems and user groups where unauthorized code would create the most operational risk.
Executive priority
Prioritize this mitigation where unauthorized execution would disrupt business continuity, increase privilege escalation risk, or weaken audit evidence around endpoint and server control. The relationship set shows relevance across execution, stealth, privilege escalation, and lateral movement behaviors, including command and scripting interpreters, PowerShell, Windows command shell, Unix shell, cloud APIs, container CLI/API, WMI, masquerading, trusted developer utilities, shared modules, and tainted shared content. Executives should ask which assets have enforceable application control, which exceptions are business-justified, and whether high-risk script and user-writable locations are governed rather than merely monitored.
Technical view
SOC, detection engineering, and IR teams should validate that execution prevention is configured to block or constrain unauthorized applications, scripts, and binaries, especially from user-writable paths such as TEMP or APPDATA where supported by local policy. For Windows-related relationships, validate controls around PowerShell, cmd, WMI, MSBuild, script types such as VB/JavaScript/AutoHotKey/AutoIT, and signed or trusted developer utilities that may proxy execution. For Linux, macOS, ESXi, containers, network devices, IaaS, SaaS, identity provider, and cloud API contexts represented in related techniques, confirm whether equivalent execution restrictions, mandatory access control, CLI/API governance, and script controls exist. Because MITRE provides no official detection text for this mitigation, local telemetry and prevention logs are required to prove coverage.
Likely telemetry
- Application control allow/block events and policy enforcement logs
- Script execution and script-blocking events, including PowerShell and other interpreter activity where available
- Process creation and command-line telemetry for shells, interpreters, developer utilities, and execution from user-writable directories
- EDR runtime prevention, behavior-blocking, and quarantine/block decisions
- File metadata, extension, path, signature, and hash evidence relevant to masquerading and file-type masquerading
Detection direction
- Confirm that prevention events are ingested and distinguish true blocks from audit-only or report-only policy modes.
- Tune for execution from suspicious or user-writable locations while accounting for legitimate software updaters, administrative tools, developer workflows, and automation scripts.
- Review allowlist exceptions for trusted utilities, interpreters, signed binaries, and developer tools because related techniques include proxy execution and masquerading behaviors.
- Correlate blocked or allowed execution with file name, path, signature, file type, interpreter, parent process, user, and host role to reduce false positives and identify risky exceptions.
- Validate coverage beyond Windows where applicable; related techniques include Linux, macOS, ESXi, containers, network devices, IaaS, SaaS, office suite, and identity provider contexts, but implementation mechanisms will differ.
Mitigation priorities
- Start with business-critical servers, administrative workstations, and high-risk endpoints where unauthorized execution would have the highest operational impact.
- Implement application control using digitally signed or pre-approved application policies, with careful exception governance and change management.
- Block or constrain unauthorized scripts, including PowerShell and JavaScript where applicable, and apply constrained language or signed-script requirements when appropriate to the environment.
- Prevent execution of executables and scripts from user-writable directories such as TEMP and APPDATA where supported by platform and business process.
- Apply platform-appropriate mandatory access control or execution policies for non-Windows systems where relevant.
Analyst notes and limits
This is a mitigation object, not a technique, so the defensive value is in control validation rather than adversary procedure detail. The supplied relationships show broad relevance to execution and stealth behaviors, especially command and scripting interpreters and masquerading. Strong assessment requires comparing the intended prevention policy with actual enforcement mode, exception inventory, and telemetry ingestion.
The ATT&CK object does not specify platforms or tactics directly and provides no official detection guidance. Platform relevance is inferred only from the supplied related techniques. Local architecture, endpoint tooling, cloud/container usage, administrative workflows, and business-approved exceptions are required to determine practical coverage.
Execution Prevention
Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:
Application Control:
- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)
Script Blocking:
- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)
Executable Blocking:
- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.
Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1219.001 | IDE Tunneling Sub-technique | Use Group Policies to require user authentication by disabling anonymous tunnel access, preventing any unauthenticated tunnel creation or usage. Disable the Visual Studio Dev Tunnels feature to block tunnel-related commands, allowing only minimal exceptions for utility functions (unset, echo, ping, and user). Restrict tunnel access to approved Microsoft Entra tenant IDs by specifying allowed tenants; all other users are denied access by default.CitationMicrosoft Dev Tunnels Group Policy MitigationCitationMicrosoft Dev Tunnels Group Policies |
| Enterprise | T1216.002 | SyncAppvPublishingServer Sub-technique | Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1553.003 | SIP and Trust Provider Hijacking Sub-technique | Enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. |
| Enterprise | T1059.010 | AutoHotKey & AutoIT Sub-technique | Use application control to prevent execution of `AutoIt3.exe`, `AutoHotkey.exe`, and other related features that may not be required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
| Enterprise | T1574.008 | Path Interception by Search Order Hijacking Sub-technique | Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.CitationSANS Application WhitelistingCitationMicrosoft Windows Defender Application ControlCitationWindows Commands JPCERTCitationNSA MS AppLockerCitationMicrosoft Application LockdownCitationMicrosoft Using Software Restriction |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software. |
| Enterprise | T1546.002 | Screensaver Sub-technique | Block .scr files from being executed from non-standard locations. |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious. |
| Enterprise | T1553 | Subvert Trust Controls | System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content. |
| Enterprise | T1176.002 | IDE Extensions Sub-technique | Set an IDE extension allow or deny list as appropriate for your security policy. |
| Enterprise | T1218.005 | Mshta Sub-technique | Use application control configured to block execution of |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.CitationDefault VBS macros Blocking |
| Enterprise | T1218.004 | InstallUtil Sub-technique | Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1204 | User Execution | Application control may be able to prevent the running of executables masquerading as other files. |
| Enterprise | T1574.001 | DLL Sub-technique | Identify and block potentially malicious software executed through DLL hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.CitationMicrosoft AppLocker DLL |
| Enterprise | T1204.004 | Malicious Copy and Paste Sub-technique | Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).CitationMicrosoft PowerShell CLM |
| Enterprise | T1129 | Shared Modules | Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown modules from being loaded. |
| Enterprise | T1218.009 | Regsvcs/Regasm Sub-technique | Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | System settings can prevent applications from running that haven't been downloaded from legitimate repositories which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk. |
| Enterprise | T1548.004 | Elevated Execution with Prompt Sub-technique | System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk. |
| Enterprise | T1611 | Escape to Host | Use read-only containers, read-only file systems, and minimal images when possible to prevent the running of commands.CitationKubernetes Hardening Guide Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.CitationKubernetes Security Context |
| Enterprise | T1216.001 | PubPrn Sub-technique | Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Prevents malicious shortcuts or LNK files from executing unwanted code by ensuring only authorized applications and scripts are allowed to run. |
| Enterprise | T1218.012 | Verclsid Sub-technique | Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1106 | Native API | Identify and block potentially malicious software executed that may be executed through this technique by using application control CitationBeechey 2010 tools, like Windows Defender Application ControlCitationMicrosoft Windows Defender Application Control, AppLocker, CitationWindows Commands JPCERT CitationNSA MS AppLocker or Software Restriction Policies CitationCorio 2008 where appropriate. CitationTechNet Applocker vs SRP |
| Enterprise | T1127.003 | JamPlus Sub-technique | Consider blocking or restricting JamPlus if not required. |
| Enterprise | T1218.015 | Electron Applications Sub-technique | Where possible, enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. For example, do not use `shell.openExternal` with untrusted content. Where possible, set `nodeIntegration` to false, which disables access to the Node.js function.CitationElectron Security 3 By disabling access to the Node.js function, this may limit the ability to execute malicious commands by injecting JavaScript code. Do not disable `webSecurity`, which may allow for users of the application to invoke malicious content from online sources. |
| Enterprise | T1219 | Remote Access Tools | Use application control to mitigate installation and use of unapproved software that can be used for remote access. |
| Enterprise | T1216 | System Script Proxy Execution | Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1047 | Windows Management Instrumentation | Use application control configured to block execution of |
| Enterprise | T1674 | Input Injection | Denylist scripting and use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).CitationMicrosoft PowerShell CLM |
| Enterprise | T1059.007 | JavaScript Sub-technique | Denylist scripting where appropriate. |
| Enterprise | T1204.002 | Malicious File Sub-technique | Application control may be able to prevent the running of executables masquerading as other files. |
| Enterprise | T1546.010 | AppInit DLLs Sub-technique | Adversaries can install new AppInit DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit DLLs functionality by using application control CitationBeechey 2010 tools, like Windows Defender Application ControlCitationMicrosoft Windows Defender Application Control, AppLocker, CitationWindows Commands JPCERT CitationNSA MS AppLocker or Software Restriction Policies CitationCorio 2008 where appropriate. CitationTechNet Applocker vs SRP |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Use application control where appropriate. On ESXi hosts, the `execInstalledOnly` feature prevents binaries from being run unless they have been packaged and signed as part of a vSphere installation bundle (VIB).CitationGoogle Cloud Threat Intelligence ESXi Hardening 2023 |
| Enterprise | T1574 | Hijack Execution Flow | Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software. |
| Enterprise | T1505.004 | IIS Components Sub-technique | Restrict unallowed ISAPI extensions and filters from running by specifying a list of ISAPI extensions and filters that can run on IIS.CitationMicrosoft ISAPICGIRestriction 2016 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control CitationBeechey 2010 tools like AppLocker CitationWindows Commands JPCERT CitationNSA MS AppLocker that are capable of auditing and/or blocking unknown DLLs. |
| Enterprise | T1059.002 | AppleScript Sub-technique | Use application control where appropriate. |
| Enterprise | T1553.001 | Gatekeeper Bypass Sub-technique | System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues. |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | Ensure that input sanitization is performed and that files are validated properly before execution; furthermore, implement a strict allow list to ensure that only authorized file types are processed.Citationfile_upload_attacks_pt2 Restrict and/or block execution of files where headers and extensions do not match. |
| Enterprise | T1218.008 | Odbcconf Sub-technique | Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1685 | Disable or Modify Tools | Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
| Enterprise | T1059 | Command and Scripting Interpreter | Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).CitationMicrosoft PowerShell CLM |
| Enterprise | T1574.007 | Path Interception by PATH Environment Variable Sub-technique | Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.CitationSANS Application WhitelistingCitationMicrosoft Windows Defender Application ControlCitationWindows Commands JPCERTCitationNSA MS AppLockerCitationMicrosoft Application LockdownCitationMicrosoft Using Software Restriction |
| Enterprise | T1127 | Trusted Developer Utilities Proxy Execution | Certain developer utilities should be blocked or restricted if not required. |
| Enterprise | T1490 | Inhibit System Recovery | Consider using application control configured to block execution of utilities such as `diskshadow.exe` that may not be required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1059.008 | Network Device CLI Sub-technique | TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. CitationCisco IOS Software Integrity Assurance - TACACS |
| Enterprise | T1218 | System Binary Proxy Execution | Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network. |
| Enterprise | T1218.002 | Control Panel Sub-technique | Identify and block potentially malicious and unknown .cpl files by using application control CitationBeechey 2010 tools, like Windows Defender Application ControlCitationMicrosoft Windows Defender Application Control, AppLocker, CitationWindows Commands JPCERT CitationNSA MS AppLocker or Software Restriction Policies CitationCorio 2008 where appropriate. CitationTechNet Applocker vs SRP |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Use application control where appropriate. |
| Enterprise | T1546.006 | LC_LOAD_DYLIB Addition Sub-technique | Allow applications via known hashes. |
| Enterprise | T1220 | XSL Script Processing | If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries. |
| Enterprise | T1080 | Taint Shared Content | Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using application control CitationBeechey 2010 tools, like AppLocker, CitationWindows Commands JPCERT CitationNSA MS AppLocker or Software Restriction Policies CitationCorio 2008 where appropriate. CitationTechNet Applocker vs SRP |
| Enterprise | T1059.009 | Cloud API Sub-technique | Use application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources. |
| Enterprise | T1547.006 | Kernel Modules and Extensions Sub-technique | Application control and software restriction tools, such as SELinux, KSPP, grsecurity MODHARDEN, and Linux kernel tuning can aid in restricting kernel module loading.CitationKernel.org Restrict Kernel ModuleCitationWikibooks GrsecurityCitationKernel Self Protection ProjectCitationIncreasing Linux kernel integrityCitationLKM loading kernel restrictions |
| Enterprise | T1574.009 | Path Interception by Unquoted Path Sub-technique | Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.CitationSANS Application WhitelistingCitationMicrosoft Windows Defender Application ControlCitationWindows Commands JPCERTCitationNSA MS AppLockerCitationMicrosoft Application LockdownCitationMicrosoft Using Software Restriction |
| Enterprise | T1059.006 | Python Sub-technique | Denylist Python where not required. |
| Enterprise | T1059.013 | Container CLI/API Sub-technique | Deny scripting where appropriate. Tools such as Python or Go can utilize Kubernetes and Docker within a client library and execute commands within their application. |
| Enterprise | T1059.011 | Lua Sub-technique | Denylist Lua interpreters where appropriate. |
| Enterprise | T1127.001 | MSBuild Sub-technique | Use application control configured to block execution of |
| Enterprise | T1574.012 | COR_PROFILER Sub-technique | Identify and block potentially malicious unmanaged COR_PROFILER profiling DLLs by using application control solutions like AppLocker that are capable of auditing and/or blocking unapproved DLLs.CitationBeechey 2010CitationWindows Commands JPCERTCitationNSA MS AppLocker |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | Adversaries can replace accessibility features binaries with alternate binaries to execute this technique. Identify and block potentially malicious software executed through accessibility features functionality by using application control CitationBeechey 2010 tools, like Windows Defender Application ControlCitationMicrosoft Windows Defender Application Control, AppLocker, CitationWindows Commands JPCERT CitationNSA MS AppLocker or Software Restriction Policies CitationCorio 2008 where appropriate. CitationTechNet Applocker vs SRP |
| Enterprise | T1546.009 | AppCert DLLs Sub-technique | Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application control CitationBeechey 2010 tools, like Windows Defender Application ControlCitationMicrosoft Windows Defender Application Control, AppLocker, CitationWindows Commands JPCERT CitationNSA MS AppLocker or Software Restriction Policies CitationCorio 2008 where appropriate. CitationTechNet Applocker vs SRP |
| Enterprise | T1176 | Software Extensions | Set an extension allow or deny list as appropriate for your security policy. |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.CitationMicrosoft Driver Block Rules |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Set a browser extension allow or deny list as appropriate for your security policy.CitationTechnospot Chrome Extensions GP |
| Enterprise | T1553.005 | Mark-of-the-Web Bypass Sub-technique | Consider blocking container file types at web and/or email gateways. Consider unregistering container file extensions in Windows File Explorer.CitationDormann Dangers of VHD 2019 |
| Enterprise | T1218.003 | CMSTP Sub-technique | Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Use application control to mitigate installation and use of unapproved software that can be used for remote access. |
| Enterprise | T1036 | Masquerading | Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
| Enterprise | T1218.014 | MMC Sub-technique | Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1218.001 | Compiled HTML File Sub-technique | Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1218.013 | Mavinject Sub-technique | Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
| Enterprise | T1564.006 | Run Virtual Instance Sub-technique | Use application control to mitigate installation and use of unapproved virtualization software. |
| Enterprise | T1609 | Container Administration Command | Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands.CitationKubernetes Hardening Guide Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.CitationKubernetes Security Context |
| Enterprise | T1685.003 | Modify or Spoof Tool UI Sub-technique | Use application controls to mitigate installation and use of payloads that may be utilized to spoof security alerting. |
| Enterprise | T1059.001 | PowerShell Sub-technique | Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).CitationMicrosoft PowerShell CLM |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 4dc91eb387d8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1038Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.