NIST CSF: DE.CM-5 Subcategory
From NIST's Cyber Security Framework (version 1):
Unauthorized mobile code is detected
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Restrictions on software installation (12.6.2)
ISO 27001:2013 -
Installation of software on operational systems (12.5.1)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Mobile code (SR 2.4)
ISA/IEC 62443-3-3:2013
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1559 | Inter-Process Communication | Execution |
| T1055.013 | Process Doppelgänging | Defense Evasion, Privilege Escalation |
| T1137.005 | Outlook Rules | Persistence |
| T1055.005 | Thread Local Storage | Defense Evasion, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |
| T1189 | Drive-by Compromise | Initial Access |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1137.003 | Outlook Forms | Persistence |
| T1137.004 | Outlook Home Page | Persistence |
| T1548.004 | Elevated Execution with Prompt | Defense Evasion, Privilege Escalation |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1218.001 | Compiled HTML File | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1137 | Office Application Startup | Persistence |
| T1137.001 | Office Template Macros | Persistence |
| T1137.006 | Add-ins | Persistence |
| T1559.001 | Component Object Model | Execution |
| T1059.005 | Visual Basic | Execution |
| T1059.007 | JavaScript | Execution |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1137.002 | Office Test | Persistence |
| T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
| T1055.011 | Extra Window Memory Injection | Defense Evasion, Privilege Escalation |
| T1203 | Exploitation for Client Execution | Execution |
| T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1505.004 | IIS Components | Persistence |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1602 | Data from Configuration Repository | Collection |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1555.005 | Password Managers | Credential Access |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1003.004 | LSA Secrets | Credential Access |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| C1.a | Monitoring Coverage | The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. |
| B4.c | Secure Management | You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security. |
| C2.b | Proactive Attack Discovery | You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity. |
| B3.d | Mobile Data | You have protected data important to the operation of the essential function on mobile devices. |
| B4.b | Secure Configuration | You securely configure the network and information systems that support the operation of essential functions. |