M1054: Software Configuration
Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:
Conduct a Security Review of Application Settings:
- Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements.
Implement Access Controls and Permissions:
- Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software.
Enable Logging and Monitoring:
- Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM.
Update and Patch Software Regularly:
- Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process.
Disable Unnecessary Features or Services:
- Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.
Test Configuration Changes:
- Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies.
*Tools for Implementation*
Configuration Management Tools:
- Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance.
Security Benchmarking Tools:
- CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues.
Vulnerability Management Solutions:
- Nessus: Identifies misconfigurations and suggests corrective actions.
Logging and Monitoring Tools:
- Splunk: Aggregates and analyzes application logs to detect suspicious activity.
Analyst context for executives and security teams
Software Configuration is a broad but high-value mitigation: it turns default or convenience-oriented software settings into security-aligned operating standards. For leaders, the practical issue is not whether tools are installed, but whether applications, SaaS platforms, databases, Office components, cloud services, and supporting software are configured to reduce persistence, collection, credential abuse, phishing exposure, exfiltration paths, and trust-control bypass opportunities.
Executive priority
Prioritize this as a governance and resilience control because many related ATT&CK techniques depend on permissive defaults, unused features, weak access controls, limited logging, or unmonitored cloud/SaaS settings. Executives should ask whether critical business systems have documented secure baselines, change control, audit evidence, logging integration, patch/configuration ownership, and periodic review against policy and compliance requirements.
Technical view
SOC, IR, identity, cloud, and vulnerability teams should validate that security-relevant settings are known, enforced, monitored, and auditable. Relationship context points to Windows and Office persistence, SaaS and database data collection, IaaS region abuse, cloud-to-cloud transfer, web session cookie abuse, system process modification, container service changes, PowerShell profiles, trust store changes, password manager exposure, IPC/DDE abuse, phishing controls, and DNS/SaaS exposure. Because ATT&CK provides no official detection for this mitigation, local validation should focus on whether configuration changes, authentication failures, access-control changes, logging state, patch state, disabled features, and privileged software settings are visible in centralized monitoring.
Likely telemetry
- Application and middleware configuration change logs
- Database configuration, access, and audit logs
- SaaS administration, sharing, authentication, and data access logs
- Cloud control-plane logs, including region enablement/use and cloud-to-cloud transfer activity where available
- Windows registry and Office configuration evidence relevant to Office startup and Office Test behavior
Detection direction
- Confirm whether each critical software platform has security-relevant logs enabled before relying on SOC detection use cases.
- Tune alerts around configuration changes to sensitive features, permissions, logging settings, cloud regions, sharing/sync controls, services, trust stores, and startup mechanisms.
- Baseline expected administrative activity so legitimate maintenance, patching, and deployment automation do not overwhelm analysts.
- Pay special attention to blind spots where SaaS, databases, containers, Office settings, or unused cloud regions are not integrated into centralized monitoring.
- Use relationship-driven coverage reviews: map secure configuration evidence against persistence, collection, credential-access, lateral-movement, exfiltration, reconnaissance, execution, and defense-impairment techniques listed in the ATT&CK relationships.
Mitigation priorities
- Start with an inventory of applications, middleware, databases, SaaS platforms, cloud services, and other software that store sensitive data or support critical operations.
- Define secure configuration baselines using vendor documentation, organizational policy, and compliance requirements.
- Enforce least privilege for software roles, administrative accounts, sensitive features, and data access.
- Enable detailed logging for authentication failures, configuration changes, unusual activity, and other key application events; forward relevant logs to centralized monitoring.
- Patch and update software regularly, using automated patch management where appropriate.
Analyst notes and limits
This object is a mitigation rather than a technique, so the defensive value comes from operationalizing secure baselines and proving they remain in force. The relationship set shows this mitigation is relevant across Office, Windows, Linux, macOS, SaaS, IaaS, containers, identity provider, and pre-compromise reconnaissance contexts through the related techniques, even though the mitigation object itself does not specify platforms or tactics.
ATT&CK does not provide an official detection section for M1054, and the mitigation object is intentionally broad. Specific control requirements, telemetry availability, false-positive patterns, and audit evidence must be determined from the organization’s actual software stack, cloud/SaaS providers, regulatory obligations, and change-management practices.
Software Configuration
Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:
Conduct a Security Review of Application Settings:
- Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements.
Implement Access Controls and Permissions:
- Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software.
Enable Logging and Monitoring:
- Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM.
Update and Patch Software Regularly:
- Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process.
Disable Unnecessary Features or Services:
- Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.
Test Configuration Changes:
- Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies.
*Tools for Implementation*
Configuration Management Tools:
- Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance.
Security Benchmarking Tools:
- CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues.
Vulnerability Management Solutions:
- Nessus: Identifies misconfigurations and suggests corrective actions.
Logging and Monitoring Tools:
- Splunk: Aggregates and analyzes application logs to detect suspicious activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing. Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. |
| Enterprise | T1688 | Safe Mode Boot | Ensure that endpoint defenses run in safe mode.CitationCyberArk Labs Safe Mode 2016 |
| Enterprise | T1550.004 | Web Session Cookie Sub-technique | Configure browsers or tasks to regularly delete persistent cookies. |
| Enterprise | T1602.001 | SNMP (MIB Dump) Sub-technique | Allowlist MIB objects and implement SNMP views.CitationCisco Securing SNMP |
| Enterprise | T1539 | Steal Web Session Cookie | Configure browsers or tasks to regularly delete persistent cookies. Additionally, minimize the length of time a web cookie is viable to potentially reduce the impact of stolen cookies while also increasing the needed frequency of cookie theft attempts – providing defenders with additional chances at detection.CitationToken tactics For example, use non-persistent cookies to limit the duration a session ID will remain on the web client cache where an attacker could obtain it.CitationSession Management Cheat Sheet |
| Enterprise | T1553.004 | Install Root Certificate Sub-technique | HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. CitationWikipedia HPKP |
| Enterprise | T1137.002 | Office Test Sub-technique | Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.CitationPalo Alto Office Test Sofacy |
| Enterprise | T1559 | Inter-Process Communication | Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.CitationEnigma Reviving DDE Jan 2018CitationGitHub Disable DDEAUTO Oct 2017 |
| Enterprise | T1666 | Modify Cloud Resource Hierarchy | In Azure environments, consider setting a policy to block subscription transfers.CitationAzure Subscription Policies In AWS environments, consider using Service Control Policies to prevent the use of the `LeaveOrganization` API call.CitationAWS RE:Inforce Threat Detection 2024 |
| Enterprise | T1685 | Disable or Modify Tools | Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations. |
| Enterprise | T1684.002 | Email Spoofing Sub-technique | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing |
| Enterprise | T1213 | Data from Information Repositories | Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed. |
| Enterprise | T1535 | Unused/Unsupported Cloud Regions | Cloud service providers may allow customers to deactivate unused regions.CitationCloudSploit - Unused AWS Regions |
| Enterprise | T1598 | Phishing for Information | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing |
| Enterprise | T1566 | Phishing | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing |
| Enterprise | T1537 | Transfer Data to Cloud Account | Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.CitationGoogle Workspace External Sharing CitationMicrosoft 365 External Sharing |
| Enterprise | T1677 | Poisoned Pipeline Execution | Where possible, avoid allowing pipelines to run unreviewed code. Where this is necessary, ensure that these pipelines are executed on isolated nodes without access to secrets. In GitHub, avoid using the `pull_request_target` trigger if possible, do not treat user-controlled inputs (such as branch names) as trusted, and do not use self-hosted runners on public repositories. |
| Enterprise | T1602 | Data from Configuration Repository | Allowlist MIB objects and implement SNMP views.CitationCisco Securing SNMP |
| Enterprise | T1213.004 | Customer Relationship Management Software Sub-technique | Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed. |
| Enterprise | T1543.005 | Container Service Sub-technique | Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container. |
| Enterprise | T1689 | Downgrade Attack | Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.CitationChromium HSTS |
| Enterprise | T1602.002 | Network Device Configuration Dump Sub-technique | Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.CitationCisco Securing SNMPCitationUS-CERT TA18-106A Network Infrastructure Devices 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.CitationEnigma Reviving DDE Jan 2018CitationGitHub Disable DDEAUTO Oct 2017 |
| Enterprise | T1543 | Create or Modify System Process | Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container. |
| Enterprise | T1590.002 | DNS Sub-technique | Consider implementing policies for DNS servers, such as Zone Transfer Policies, that enforce a list of validated servers permitted for zone transfers.CitationDNS-msft |
| Enterprise | T1213.006 | Databases Sub-technique | Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed. |
| Enterprise | T1546.013 | PowerShell Profile Sub-technique | Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed. |
| Enterprise | T1555.005 | Password Managers Sub-technique | Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases. |
| Enterprise | T1606 | Forge Web Credentials | Configure browsers/applications to regularly delete persistent web credentials (such as cookies). |
| Enterprise | T1553 | Subvert Trust Controls | HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. CitationWikipedia HPKP |
| Enterprise | T1606.001 | Web Cookies Sub-technique | Configure browsers/applications to regularly delete persistent web cookies. |
| Enterprise | T1667 | Email Bombing | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing Note that additional filtering may be necessary if emails are coming from legitimate sources. |
| Enterprise | T1137 | Office Application Startup | For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. CitationPalo Alto Office Test Sofacy |
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.CitationMicrosoft Anti SpoofingCitationACSC Email Spoofing Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. Browser password managers may also be configured to only populate credential fields when the URL matches that of the original, legitimate site. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | f79592c17fcc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1054Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.