M1042: Disable or Remove Feature or Program
Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:
Remove Legacy Software:
- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features:
- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users:
- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services:
- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins:
- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
Analyst context for executives and security teams
Disabling or removing unnecessary software, features, services, plugins, and legacy components is a basic but high-value attack-surface reduction control. For leaders, the decision value is not “turn things off” in the abstract; it is whether the organization can prove that exposed remote access paths, scripting engines, removable media functions, browser plugins, and unsupported software are needed, governed, and monitored. This mitigation matters because many related ATT&CK techniques depend on features that are commonly installed by default or left enabled after business need has changed.
Executive priority
Prioritize this as a resilience and governance control: every unused service or end-of-life component creates avoidable exposure, complicates incident response, and weakens audit evidence. Executives should ask whether the organization has an authoritative inventory, a business-justification process for enabled remote access and scripting capabilities, and a repeatable exception process. This is especially relevant to lateral movement via remote services, exfiltration through Bluetooth/USB/other media, abuse of command and scripting interpreters, account and cloud credential persistence paths, and legacy or user-installed software risk.
Technical view
SOC, IR, and detection engineering teams should validate this mitigation against the related techniques it is mapped to: Remote Services including RDP, SSH, VNC, WinRM, DCOM, and direct cloud VM connections; Network Service Discovery; Command and Scripting Interpreter use including PowerShell, Visual Basic, and JavaScript; removable media and Bluetooth-based exfiltration or command-and-control; account manipulation including added cloud credentials, SSH authorized keys, and email forwarding rules; and trusted developer utility proxy execution. Because ATT&CK provides no detection text for this mitigation, teams should focus on evidence of control state: what is installed, what is enabled, what is reachable, who can change it, and where exceptions exist.
Likely telemetry
- Endpoint software and feature inventory, including legacy and end-of-life applications
- Service configuration and startup state for remote access and administrative services
- Network exposure data showing listening services and reachable management interfaces
- Authentication and session logs for RDP, SSH, VNC, WinRM, DCOM, and cloud VM access where present
- Cloud and identity audit logs for added credentials, service principals, keys, mailbox permissions, and forwarding rules
Detection direction
- Validate that discovery alerts for newly enabled services are tied to asset criticality and approved baseline state, not only port activity.
- Tune remote-service monitoring around unauthorized enablement, unexpected exposure, and use by accounts without a documented business need.
- Correlate removable media, Bluetooth, and alternate network interface activity with data movement and host sensitivity where such telemetry exists.
- For scripting engines and developer utilities, distinguish approved administrative or development use from unexpected execution on systems where those features should be disabled or restricted.
- For identity and cloud-related relationships, monitor for configuration drift such as new credentials, SSH authorized keys, mailbox delegation, and forwarding rules rather than relying only on login alerts.
Mitigation priorities
- Start with inventory: identify unsupported software, unnecessary services, browser plugins, add-ons, user-installed applications, remote access features, scripting engines, and removable-media capabilities.
- Remove end-of-life or unsupported software first, because it cannot be reliably remediated through patching alone.
- Disable unused remote services and administrative interfaces, including examples supplied by ATT&CK such as SMBv1, Telnet, RDP where not required, and unnecessary default services or administrative shares.
- Control user-installed applications through managed policy and approval workflows to reduce ungoverned software exposure.
- Restrict or disable browser plugins and add-ons that lack a business purpose, including legacy plugin technologies identified by ATT&CK such as Java and ActiveX.
Analyst notes and limits
This mitigation is broad and control-oriented, so its value depends on asset inventory quality, configuration management, and exception discipline. The relationship context shows relevance across execution, lateral movement, discovery, command-and-control, collection, persistence, privilege escalation, and exfiltration behaviors. For Glexia services, this is a practical bridge between vulnerability management, identity/cloud hardening, managed detection, incident response readiness, and compliance evidence.
The official ATT&CK object does not specify platforms, tactics, or detection guidance for the mitigation itself. Platform and tactic context comes only from the supplied relationships to techniques. Local business requirements are required before disabling features, because some remote services, interpreters, plugins, or removable-media workflows may be operationally necessary.
Disable or Remove Feature or Program
Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:
Remove Legacy Software:
- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features:
- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users:
- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services:
- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins:
- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.007 | Re-opened Applications Sub-technique | This feature can be disabled entirely with the following terminal command: |
| Enterprise | T1021.004 | SSH Sub-technique | Disable the SSH daemon on systems that do not require it, especially ESXi servers. For macOS, ensure Remote Login is disabled under Sharing Preferences.CitationApple Unified Log Analysis Remote Login and Screen Sharing |
| Enterprise | T1671 | Cloud Application Integration | Do not allow users to add new application integrations into a SaaS environment. In Entra ID environments, consider enforcing the “Do not allow user consent” option.CitationMicrosoft Entra Configure OAuth Consent |
| Enterprise | T1021.005 | VNC Sub-technique | Uninstall any VNC server software where not required. |
| Enterprise | T1210 | Exploitation of Remote Services | Minimize available services to only those that are necessary. |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Turn off or restrict access to unneeded VB components. |
| Enterprise | T1595.003 | Wordlist Scanning Sub-technique | Remove or disable access to any systems, resources, and infrastructure that are not explicitly required to be available externally. |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | Disable the WinRM service. |
| Enterprise | T1559 | Inter-Process Communication | Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. CitationMicrosoft DDE Advisory Nov 2017CitationBleepingComputer DDE Disabled in Word Dec 2017CitationGitHub Disable DDEAUTO Oct 2017 Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.CitationMicrosoft ADV170021 Dec 2017 |
| Enterprise | T1564.006 | Run Virtual Instance Sub-technique | Disable native virtualization technologies such as Hyper-V if not necessary within a given environment. Consider also disabling Windows Sandbox if it is not needed to test or debug applications. |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | Disable LLMNR, mDNS, and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. CitationADSecurity Windows Secure Baseline |
| Enterprise | T1046 | Network Service Discovery | Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
| Enterprise | T1218.015 | Electron Applications Sub-technique | Remove or deny access to unnecessary and potentially vulnerable software and features to prevent abuse by adversaries. Many native binaries may not be necessary within a given environment: for example, consider disabling the Node.js integration in all renderers that display remote content to protect users by limiting adversaries’ power to plant malicious JavaScript within Electron applications.CitationElectron Security 2 |
| Enterprise | T1127.002 | ClickOnce Sub-technique | Disable ClickOnce installations from the internet using the following registry key: `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled`CitationNetSPI ClickOnceCitationMicrosoft Learn ClickOnce Config ClickOnce may not be necessary within an environment and should be disabled if not being used. |
| Enterprise | T1649 | Steal or Forge Authentication Certificates | Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.CitationSpecterOps Certified Pre Owned |
| Enterprise | T1114.003 | Email Forwarding Rule Sub-technique | Consider disabling external email forwarding.CitationMicrosoft BEC Campaign |
| Enterprise | T1557 | Adversary-in-the-Middle | Disable legacy network protocols that may be used to intercept network traffic if applicable, especially those that are not needed within an environment. |
| Enterprise | T1011 | Exfiltration Over Other Network Medium | Disable WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel in local computer security settings or by group policy if it is not needed within an environment. |
| Enterprise | T1098 | Account Manipulation | Remove unnecessary and potentially abusable authentication and authorization mechanisms where possible. |
| Enterprise | T1685 | Disable or Modify Tools | Consider removing previous versions of tools that are unnecessary to the environment when possible. |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Disable Autorun if it is unnecessary. CitationMicrosoft Disable Autorun Disallow or restrict removable media at an organizational policy level if they are not required for business operations. CitationTechNet Removable Media Control |
| Enterprise | T1553.005 | Mark-of-the-Web Bypass Sub-technique | Consider disabling auto-mounting of disk image files (i.e., .iso, .img, .vhd, and .vhdx). This can be achieved by modifying the Registry values related to the Windows Explorer file associations in order to disable the automatic Explorer "Mount and Burn" dialog for these file extensions. Note: this will not deactivate the mount functionality itself.CitationGitHub MOTW |
| Enterprise | T1505 | Server Software Component | Consider disabling software components from servers when possible to prevent abuse by adversaries.CitationITSyndicate Disabling PHP functions |
| Enterprise | T1127.003 | JamPlus Sub-technique | JamPlus may not be necessary within a given environment and should be removed if not used. |
| Enterprise | T1059.001 | PowerShell Sub-technique | It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. |
| Enterprise | T1218.008 | Odbcconf Sub-technique | Odbcconf.exe may not be necessary within a given environment. |
| Enterprise | T1091 | Replication Through Removable Media | Disable Autorun if it is unnecessary. CitationMicrosoft Disable Autorun Disallow or restrict removable media at an organizational policy level if it is not required for business operations. CitationTechNet Removable Media Control |
| Enterprise | T1137 | Office Application Startup | Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. CitationMRWLabs Office Persistence Add-ins |
| Enterprise | T1546.002 | Screensaver Sub-technique | Use Group Policy to disable screensavers if they are unnecessary.CitationTechNet Screensaver GP |
| Enterprise | T1059 | Command and Scripting Interpreter | Disable or remove any unnecessary or unused shells or interpreters. |
| Enterprise | T1021.003 | Distributed Component Object Model Sub-technique | Consider disabling DCOM through Dcomcnfg.exe.CitationMicrosoft Disable DCOM |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Disable the RDP service if it is unnecessary. |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | Consider enabling the “Network access: Do not allow storage of passwords and credentials for network authentication” setting that will prevent network credentials from being stored by the Credential Manager.CitationMicrosoft Network access Credential Manager |
| Enterprise | T1092 | Communication Through Removable Media | Disable Autoruns if it is unnecessary.CitationMicrosoft Disable Autorun |
| Enterprise | T1563.002 | RDP Hijacking Sub-technique | Disable the RDP service if it is unnecessary. |
| Enterprise | T1218.013 | Mavinject Sub-technique | Consider removing mavinject.exe if Microsoft App-V is not used within a given environment. |
| Enterprise | T1563 | Remote Service Session Hijacking | Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary. |
| Enterprise | T1098.004 | SSH Authorized Keys Sub-technique | Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using |
| Enterprise | T1557.002 | ARP Cache Poisoning Sub-technique | Consider disabling updating the ARP cache on gratuitous ARP replies. |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications. |
| Enterprise | T1218.012 | Verclsid Sub-technique | Consider removing verclsid.exe if it is not necessary within a given environment. |
| Enterprise | T1218.005 | Mshta Sub-technique | Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. |
| Enterprise | T1563.001 | SSH Hijacking Sub-technique | Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. CitationSymantec SSH and ssh-agent |
| Enterprise | T1133 | External Remote Services | Disable or block remotely available services that may be unnecessary. |
| Enterprise | T1218.007 | Msiexec Sub-technique | Consider disabling the |
| Enterprise | T1564.007 | VBA Stomping Sub-technique | Turn off or restrict access to unneeded VB components.CitationMicrosoft Disable VBA Jan 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Turn off or restrict access to unneeded scripting components. |
| Enterprise | T1609 | Container Administration Command | Remove unnecessary tools and software from containers. |
| Enterprise | T1218.004 | InstallUtil Sub-technique | InstallUtil may not be necessary within a given environment. |
| Enterprise | T1127.001 | MSBuild Sub-technique | MSBuild.exe may not be necessary within an environment and should be removed if not being used. |
| Enterprise | T1011.001 | Exfiltration Over Bluetooth Sub-technique | Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment. |
| Enterprise | T1218.014 | MMC Sub-technique | MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients. |
| Enterprise | T1552.005 | Cloud Instance Metadata API Sub-technique | Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.CitationAmazon AWS IMDS V2 |
| Enterprise | T1546.014 | Emond Sub-technique | Consider disabling emond by removing the Launch Daemon plist file. |
| Enterprise | T1021 | Remote Services | If remote services, such as the ability to make direct connections to cloud virtual machines, are not required, disable these connection types where feasible. On ESXi servers, consider enabling lockdown mode, which disables direct access to an ESXi host and requires that the host be managed remotely using vCenter.CitationGoogle Cloud Threat Intelligence ESXi Hardening 2023CitationBroadcom ESXi Lockdown Mode |
| Enterprise | T1021.008 | Direct Cloud VM Connections Sub-technique | If direct virtual machine connections are not required for administrative use, disable these connection types where feasible. |
| Enterprise | T1137.001 | Office Template Macros Sub-technique | Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. CitationMRWLabs Office Persistence Add-ins |
| Enterprise | T1505.003 | Web Shell Sub-technique | Consider disabling functions from web technologies such as PHP’s `evaI()` that may be abused for web shells.CitationITSyndicate Disabling PHP functions |
| Enterprise | T1205 | Traffic Signaling | Disable Wake-on-LAN if it is not needed within an environment. |
| Enterprise | T1218 | System Binary Proxy Execution | Many native binaries may not be necessary within a given environment. |
| Enterprise | T1052 | Exfiltration Over Physical Medium | Disable Autorun if it is unnecessary. CitationMicrosoft Disable Autorun Disallow or restrict removable media at an organizational policy level if they are not required for business operations. CitationTechNet Removable Media Control |
| Enterprise | T1218.009 | Regsvcs/Regasm Sub-technique | Regsvcs and Regasm may not be necessary within a given environment. |
| Enterprise | T1221 | Template Injection | Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents CitationMicrosoft Disable Macros, though this setting may not mitigate the Forced Authentication use for this technique. |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. CitationMicrosoft DDE Advisory Nov 2017CitationBleepingComputer DDE Disabled in Word Dec 2017CitationGitHub Disable DDEAUTO Oct 2017 Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.CitationMicrosoft ADV170021 Dec 2017 |
| Enterprise | T1689 | Downgrade Attack | Consider removing previous versions of tools that are unnecessary to the environment when possible. |
| Enterprise | T1098.002 | Additional Email Delegate Permissions Sub-technique | If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.CitationGmail Delegation |
| Enterprise | T1127 | Trusted Developer Utilities Proxy Execution | Specific developer utilities may not be necessary within a given environment and should be removed if not used. |
| Enterprise | T1611 | Escape to Host | Remove unnecessary tools and software from containers. |
| Enterprise | T1219 | Remote Access Tools | Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications. |
| Enterprise | T1098.001 | Additional Cloud Credentials Sub-technique | Remove unnecessary and potentially abusable authentication mechanisms where possible. For example, in Entra ID environments, disable the app password feature unless explicitly required. |
| Enterprise | T1218.003 | CMSTP Sub-technique | CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 2716083433cf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1042Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.