M1051: Update Software
Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:
Regular Operating System Updates
- Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows. - Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.
Application Patching
- Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance. - Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.
Firmware Updates
- Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption. - Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.
Emergency Patch Deployment
- Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours. - Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.
Centralized Patch Management
- Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated. - Use Case: Streamlines patching processes and ensures no critical systems are missed.
*Tools for Implementation*
Patch Management Tools:
- WSUS: Manage and deploy Microsoft updates across the organization. - ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps. - Ansible: Automate updates across multiple platforms, including Linux and Windows.
Vulnerability Scanning Tools:
- OpenVAS: Open-source vulnerability scanning to identify missing patches.
Analyst context for executives and security teams
Update Software is a foundational risk-reduction control: it reduces exposure to known vulnerabilities in operating systems, applications, drivers, and firmware before those weaknesses can be used for initial access, privilege escalation, lateral movement, persistence, credential access, stealth, or impact. For leaders, the practical question is not “do we patch?” but whether critical assets, public-facing systems, client software, firmware, and centralized deployment tools are updated quickly enough and with evidence that stands up during incidents or audits.
Executive priority
Prioritize this as a business continuity and resilience control. The ATT&CK relationships show update management applies to high-consequence scenarios including exploitation of public-facing applications, client-side exploitation, remote-service exploitation, privilege escalation, software supply chain compromise, Office and extension-based persistence, credential-related exploitation, and firmware-level impact or persistence. Executives should ask for measurable patch compliance, emergency patch capability, maintenance-window governance, and visibility into systems that are often missed: firmware, network devices, SaaS/cloud-connected management tooling, development dependencies, browsers/extensions, and deployment platforms.
Technical view
For SOC, IR, vulnerability management, and detection engineering teams, M1051 is primarily a prevention and assurance activity rather than a detection analytic; MITRE provides no official detection text for this mitigation. Validate that patch status, vulnerability scan results, asset inventory, software/firmware versions, and deployment-tool logs can be joined to the techniques this mitigation addresses, especially T1190, T1203, T1210, T1068, T1212, T1542, T1495, T1195, and T1072. Because centralized patch and software deployment systems are also related to adversary abuse, teams should treat them as privileged infrastructure: monitor change activity, administrative use, update failures, emergency deployments, and unusual command or package distribution behavior.
Likely telemetry
- Asset inventory covering operating systems, applications, drivers, firmware, public-facing services, client applications, network devices, and cloud/SaaS-connected management components where applicable
- Patch management records from centralized tooling, including deployment status, failures, deferrals, reboot requirements, emergency patch actions, and compliance reports
- Vulnerability scanner findings identifying missing patches or vulnerable versions
- Software and firmware version data from endpoints, servers, network devices, and managed platforms
- Change-management and maintenance-window records showing when updates were approved, deployed, rolled back, or delayed
Detection direction
- Do not treat this mitigation as a standalone detection. Validate whether security operations can prove which assets are missing vendor updates and whether those gaps overlap with exposed services, privileged systems, identity components, development tooling, or firmware-bearing devices.
- Tune vulnerability and patch reporting around exploit-relevant exposure: public-facing applications, remote services, client applications, privilege escalation paths, credential-access surfaces, and firmware/pre-OS components reflected in the related ATT&CK techniques.
- Correlate update failures and long-lived exceptions with incident findings. A recurring blind spot is that patch dashboards show endpoint compliance while excluding firmware, third-party applications, browser/IDE extensions, network devices, containers, IaaS assets, or SaaS-connected deployment systems.
- Monitor centralized software deployment tools for administrative changes and unusual distribution behavior because the relationship context includes adversary use of software deployment tools for execution and lateral movement.
- Account for false confidence from scheduled patch cycles: monthly operating system updates may not address emergency fixes, application patches, firmware updates, or supply chain/dependency risks without separate processes and evidence.
Mitigation priorities
- Maintain a complete and current asset and software inventory before measuring patch compliance; unknown systems cannot be reliably updated.
- Use centralized patch management to automate, track, and report deployment across operating systems, applications, drivers, and firmware where supported.
- Define risk-based service levels for routine and emergency updates, including the ability to deploy critical fixes rapidly to affected systems such as public-facing servers or other high-risk assets.
- Schedule reboots and maintenance windows to reduce operational disruption while preventing indefinite deferral of security updates.
- Include application release-note monitoring, vulnerability scanning, and compliance reporting so missing patches are identified and remediated rather than only recorded.
Analyst notes and limits
The supplied ATT&CK object is a mitigation, not a technique, and its official description emphasizes vendor patches, upgrades, centralized patch management, vulnerability scanning, firmware updates, and emergency patch deployment. The relationship set is broad, making this control relevant across initial access, execution, privilege escalation, persistence, credential access, lateral movement, stealth, and impact. The strongest defensive value comes from turning update management into measurable coverage: what is in scope, what is missing, how fast critical updates deploy, and whether exceptions are visible to SOC, IR, vulnerability management, and audit stakeholders.
MITRE does not provide official detection guidance for M1051, and the mitigation itself has no specified platforms or tactics. Platform relevance is inferred only from the related ATT&CK techniques and should be confirmed against the local environment. This take does not assert active exploitation, specific vendor exposure, or guaranteed detection coverage; organizations need local asset, vulnerability, patch, and incident data to prioritize action.
Update Software
Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:
Regular Operating System Updates
- Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows. - Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.
Application Patching
- Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance. - Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.
Firmware Updates
- Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption. - Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.
Emergency Patch Deployment
- Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours. - Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.
Centralized Patch Management
- Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated. - Use Case: Streamlines patching processes and ensures no critical systems are missed.
*Tools for Implementation*
Patch Management Tools:
- WSUS: Manage and deploy Microsoft updates across the organization. - ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps. - Ansible: Automate updates across multiple platforms, including Linux and Windows.
Vulnerability Scanning Tools:
- OpenVAS: Open-source vulnerability scanning to identify missing patches.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1550.002 | Pass the Hash Sub-technique | Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.CitationNSA Spotting |
| Enterprise | T1686.002 | Network Device Firewall Sub-technique | Ensure the network firewall is up to date with security patches. |
| Enterprise | T1552 | Unsecured Credentials | Apply patch KB2962486 which prevents credentials from being stored in GPPs.CitationADSecurity Finding Passwords in SYSVOLCitationMS14-025 |
| Enterprise | T1176.002 | IDE Extensions Sub-technique | Ensure operating systems and IDEs are using the most current version. |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.CitationGithub UACMe |
| Enterprise | T1602.001 | SNMP (MIB Dump) Sub-technique | Keep system images and software updated and migrate to SNMPv3.CitationCisco Blog Legacy Device Attacks |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| Enterprise | T1555.005 | Password Managers Sub-technique | Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
| Enterprise | T1495 | Firmware Corruption | Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
| Enterprise | T1110.001 | Password Guessing Sub-technique | Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
| Enterprise | T1555 | Credentials from Password Stores | Perform regular software updates to mitigate exploitation risk. |
| Enterprise | T1611 | Escape to Host | Ensure that hosts are kept up-to-date with security patches. |
| Enterprise | T1072 | Software Deployment Tools | Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
| Enterprise | T1137.004 | Outlook Home Page Sub-technique | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.CitationSensePost Outlook Forms Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.CitationSensePost Outlook Home Page |
| Enterprise | T1542 | Pre-OS Boot | Patch the BIOS and EFI as necessary. |
| Enterprise | T1542.001 | System Firmware Sub-technique | Patch the BIOS and EFI as necessary. |
| Enterprise | T1212 | Exploitation for Credential Access | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| Enterprise | T1602 | Data from Configuration Repository | Keep system images and software updated and migrate to SNMPv3.CitationCisco Blog Legacy Device Attacks |
| Enterprise | T1189 | Drive-by Compromise | Ensuring that all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.CitationBrowser-updates |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | Perform regular software updates to mitigate exploitation risk. |
| Enterprise | T1211 | Exploitation for Stealth | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| Enterprise | T1574 | Hijack Execution Flow | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Ensure operating systems and browsers are using the most current version. |
| Enterprise | T1137 | Office Application Startup | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.CitationSensePost Outlook Forms Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.CitationSensePost Outlook Home Page |
| Enterprise | T1195.001 | Compromise Software Dependencies and Development Tools Sub-technique | A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
| Enterprise | T1552.006 | Group Policy Preferences Sub-technique | Apply patch KB2962486 which prevents credentials from being stored in GPPs.CitationADSecurity Finding Passwords in SYSVOLCitationMS14-025 |
| Enterprise | T1137.005 | Outlook Rules Sub-technique | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.CitationSensePost Outlook Forms Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.CitationSensePost Outlook Home Page |
| Enterprise | T1195 | Supply Chain Compromise | A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
| Enterprise | T1539 | Steal Web Session Cookie | Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
| Enterprise | T1602.002 | Network Device Configuration Dump Sub-technique | Keep system images and software updated and migrate to SNMPv3.CitationCisco Blog Legacy Device Attacks |
| Enterprise | T1546.010 | AppInit DLLs Sub-technique | Upgrade to Windows 8 or later and enable secure boot. |
| Enterprise | T1574.001 | DLL Sub-technique | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
| Enterprise | T1176 | Software Extensions | Ensure operating systems and software are using the most current version. |
| Enterprise | T1203 | Exploitation for Client Execution | Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks. |
| Enterprise | T1542.002 | Component Firmware Sub-technique | Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
| Enterprise | T1137.003 | Outlook Forms Sub-technique | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.CitationSensePost Outlook Forms Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.CitationSensePost Outlook Home Page |
| Enterprise | T1190 | Exploit Public-Facing Application | Update software regularly by employing patch management for externally exposed applications. |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
| Enterprise | T1210 | Exploitation of Remote Services | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| Enterprise | T1546.011 | Application Shimming Sub-technique | Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. |
| Enterprise | T1546 | Event Triggered Execution | Perform regular software updates to mitigate exploitation risk. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | beaa77555ca1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1051Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.