CM-2: Baseline Configuration
From NIST's SP800-53:
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
Control ID | Description |
---|---|
PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
PR.DS-7 | The development and testing environment(s) are separate from the production environment |
DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
ATT&CK ID | Title | Associated Tactics |
---|---|---|
T1564.009 | Resource Forking | Defense Evasion |
T1552.004 | Private Keys | Credential Access |
T1047 | Windows Management Instrumentation | Execution |
T1221 | Template Injection | Defense Evasion |
T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
T1187 | Forced Authentication | Credential Access |
T1105 | Ingress Tool Transfer | Command and Control |
T1070.008 | Clear Mailbox Data | Defense Evasion |
T1565 | Data Manipulation | Impact |
T1562.003 | Impair Command History Logging | Defense Evasion |
T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
T1127.001 | MSBuild | Defense Evasion |
T1562.010 | Downgrade Attack | Defense Evasion |
T1071.003 | Mail Protocols | Command and Control |
T1220 | XSL Script Processing | Defense Evasion |
T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
T1539 | Steal Web Session Cookie | Credential Access |
T1185 | Browser Session Hijacking | Collection |
T1071.002 | File Transfer Protocols | Command and Control |
T1201 | Password Policy Discovery | Discovery |
T1070.009 | Clear Persistence | Defense Evasion |
T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
T1573.002 | Asymmetric Cryptography | Command and Control |
T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
T1070.003 | Clear Command History | Defense Evasion |
T1562.004 | Disable or Modify System Firewall | Defense Evasion |
T1021.006 | Windows Remote Management | Lateral Movement |
T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
T1565.001 | Stored Data Manipulation | Impact |
T1566 | Phishing | Initial Access |
T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
T1558.002 | Silver Ticket | Credential Access |
T1119 | Automated Collection | Collection |
T1562.006 | Indicator Blocking | Defense Evasion |
T1569 | System Services | Execution |
T1110.002 | Password Cracking | Credential Access |
T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
T1218.005 | Mshta | Defense Evasion |
T1204.002 | Malicious File | Execution |
T1030 | Data Transfer Size Limits | Exfiltration |
T1104 | Multi-Stage Channels | Command and Control |
T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
T1001.001 | Junk Data | Command and Control |
T1554 | Compromise Client Software Binary | Persistence |
T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
T1547.003 | Time Providers | Persistence, Privilege Escalation |
T1037.005 | Startup Items | Persistence, Privilege Escalation |
T1622 | Debugger Evasion | Defense Evasion, Discovery |
T1573 | Encrypted Channel | Command and Control |
T1218.013 | Mavinject | Defense Evasion |
T1204.003 | Malicious Image | Execution |
T1072 | Software Deployment Tools | Execution, Lateral Movement |
T1557.003 | DHCP Spoofing | Collection, Credential Access |
T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
T1601.001 | Patch System Image | Defense Evasion |
T1036.007 | Double File Extension | Defense Evasion |
T1562.001 | Disable or Modify Tools | Defense Evasion |
T1599.001 | Network Address Translation Traversal | Defense Evasion |
T1059.006 | Python | Execution |
T1003.004 | LSA Secrets | Credential Access |
T1090.001 | Internal Proxy | Command and Control |
T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
T1114 | Email Collection | Collection |
T1598.002 | Spearphishing Attachment | Reconnaissance |
T1566.002 | Spearphishing Link | Initial Access |
T1037.002 | Login Hook | Persistence, Privilege Escalation |
T1001 | Data Obfuscation | Command and Control |
T1218.001 | Compiled HTML File | Defense Evasion |
T1546 | Event Triggered Execution | Persistence, Privilege Escalation |
T1210 | Exploitation of Remote Services | Lateral Movement |
T1505.002 | Transport Agent | Persistence |
T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
T1036.001 | Invalid Code Signature | Defense Evasion |
T1111 | Multi-Factor Authentication Interception | Credential Access |
T1003 | OS Credential Dumping | Credential Access |
T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
T1562 | Impair Defenses | Defense Evasion |
T1559 | Inter-Process Communication | Execution |
T1563.002 | RDP Hijacking | Lateral Movement |
T1543.002 | Systemd Service | Persistence, Privilege Escalation |
T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
T1132.001 | Standard Encoding | Command and Control |
T1059.007 | JavaScript | Execution |
T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
T1552.006 | Group Policy Preferences | Credential Access |
T1601 | Modify System Image | Defense Evasion |
T1218.009 | Regsvcs/Regasm | Defense Evasion |
T1562.002 | Disable Windows Event Logging | Defense Evasion |
T1090.002 | External Proxy | Command and Control |
T1137.004 | Outlook Home Page | Persistence |
T1137.003 | Outlook Forms | Persistence |
T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
T1037.003 | Network Logon Script | Persistence, Privilege Escalation |
T1219 | Remote Access Software | Command and Control |
T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
T1490 | Inhibit System Recovery | Impact |
T1566.001 | Spearphishing Attachment | Initial Access |
T1571 | Non-Standard Port | Command and Control |
T1505 | Server Software Component | Persistence |
T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
T1563 | Remote Service Session Hijacking | Lateral Movement |
T1218.004 | InstallUtil | Defense Evasion |
T1003.001 | LSASS Memory | Credential Access |
T1102.001 | Dead Drop Resolver | Command and Control |
T1218.012 | Verclsid | Defense Evasion |
T1505.001 | SQL Stored Procedures | Persistence |
T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
T1216.001 | PubPrn | Defense Evasion |
T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
T1218.007 | Msiexec | Defense Evasion |
T1090 | Proxy | Command and Control |
T1559.002 | Dynamic Data Exchange | Execution |
T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
T1137.005 | Outlook Rules | Persistence |
T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
T1021.001 | Remote Desktop Protocol | Lateral Movement |
T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
T1021.003 | Distributed Component Object Model | Lateral Movement |
T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
T1213.001 | Confluence | Collection |
T1547.008 | LSASS Driver | Persistence, Privilege Escalation |
T1558.003 | Kerberoasting | Credential Access |
T1563.001 | SSH Hijacking | Lateral Movement |
T1555.004 | Windows Credential Manager | Credential Access |
T1102.003 | One-Way Communication | Command and Control |
T1059.004 | Unix Shell | Execution |
T1558.004 | AS-REP Roasting | Credential Access |
T1133 | External Remote Services | Initial Access, Persistence |
T1102.002 | Bidirectional Communication | Command and Control |
T1647 | Plist File Modification | Defense Evasion |
T1561.002 | Disk Structure Wipe | Impact |
T1542.004 | ROMMONkit | Defense Evasion, Persistence |
T1553 | Subvert Trust Controls | Defense Evasion |
T1001.002 | Steganography | Command and Control |
T1027 | Obfuscated Files or Information | Defense Evasion |
T1570 | Lateral Tool Transfer | Lateral Movement |
T1053.002 | At | Execution, Persistence, Privilege Escalation |
T1036.003 | Rename System Utilities | Defense Evasion |
T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
T1137.006 | Add-ins | Persistence |
T1204.001 | Malicious Link | Execution |
T1572 | Protocol Tunneling | Command and Control |
T1059.003 | Windows Command Shell | Execution |
T1564.006 | Run Virtual Instance | Defense Evasion |
T1218.003 | CMSTP | Defense Evasion |
T1548.004 | Elevated Execution with Prompt | Defense Evasion, Privilege Escalation |
T1052 | Exfiltration Over Physical Medium | Exfiltration |
T1212 | Exploitation for Credential Access | Credential Access |
T1213 | Data from Information Repositories | Collection |
T1176 | Browser Extensions | Persistence |
T1601.002 | Downgrade System Image | Defense Evasion |
T1505.004 | IIS Components | Persistence |
T1129 | Shared Modules | Execution |
T1046 | Network Service Discovery | Discovery |
T1602.002 | Network Device Configuration Dump | Collection |
T1021.005 | VNC | Lateral Movement |
T1599 | Network Boundary Bridging | Defense Evasion |
T1491.002 | External Defacement | Impact |
T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
T1037.004 | RC Scripts | Persistence, Privilege Escalation |
T1598 | Phishing for Information | Reconnaissance |
T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
T1052.001 | Exfiltration over USB | Exfiltration |
T1598.003 | Spearphishing Link | Reconnaissance |
T1211 | Exploitation for Defense Evasion | Defense Evasion |
T1070.001 | Clear Windows Event Logs | Defense Evasion |
T1003.005 | Cached Domain Credentials | Credential Access |
T1003.007 | Proc Filesystem | Credential Access |
T1008 | Fallback Channels | Command and Control |
T1553.001 | Gatekeeper Bypass | Defense Evasion |
T1071.004 | DNS | Command and Control |
T1189 | Drive-by Compromise | Initial Access |
T1602.001 | SNMP (MIB Dump) | Collection |
T1029 | Scheduled Transfer | Exfiltration |
T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
T1114.002 | Remote Email Collection | Collection |
T1003.002 | Security Account Manager | Credential Access |
T1137.002 | Office Test | Persistence |
T1059.002 | AppleScript | Execution |
T1110.004 | Credential Stuffing | Credential Access |
T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
T1080 | Taint Shared Content | Lateral Movement |
T1036.005 | Match Legitimate Name or Location | Defense Evasion |
T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
T1218.014 | MMC | Defense Evasion |
T1036 | Masquerading | Defense Evasion |
T1137.001 | Office Template Macros | Persistence |
T1216 | System Script Proxy Execution | Defense Evasion |
T1059.005 | Visual Basic | Execution |
T1561.001 | Disk Content Wipe | Impact |
T1602 | Data from Configuration Repository | Collection |
T1546.002 | Screensaver | Persistence, Privilege Escalation |
T1059.008 | Network Device CLI | Execution |
T1486 | Data Encrypted for Impact | Impact |
T1102 | Web Service | Command and Control |
T1137 | Office Application Startup | Persistence |
T1095 | Non-Application Layer Protocol | Command and Control |
T1525 | Implant Internal Image | Persistence |
T1569.002 | Service Execution | Execution |
T1543.003 | Windows Service | Persistence, Privilege Escalation |
T1491.001 | Internal Defacement | Impact |
T1218.008 | Odbcconf | Defense Evasion |
T1546.014 | Emond | Persistence, Privilege Escalation |
T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
T1552.001 | Credentials In Files | Credential Access |
T1001.003 | Protocol Impersonation | Command and Control |
T1003.003 | NTDS | Credential Access |
T1059 | Command and Scripting Interpreter | Execution |
T1021.004 | SSH | Lateral Movement |
T1213.002 | Sharepoint | Collection |
T1546.010 | AppInit DLLs | Persistence, Privilege Escalation |
T1132.002 | Non-Standard Encoding | Command and Control |
T1110.001 | Password Guessing | Credential Access |
T1530 | Data from Cloud Storage | Collection |
T1204 | User Execution | Execution |
T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
T1106 | Native API | Execution |
T1528 | Steal Application Access Token | Credential Access |
T1218 | System Binary Proxy Execution | Defense Evasion |
T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
T1561 | Disk Wipe | Impact |
T1132 | Data Encoding | Command and Control |
T1565.002 | Transmitted Data Manipulation | Impact |
T1071.001 | Web Protocols | Command and Control |
T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
T1573.001 | Symmetric Cryptography | Command and Control |
T1505.005 | Terminal Services DLL | Persistence |
T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
T1558.001 | Golden Ticket | Credential Access |
T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
T1491 | Defacement | Impact |
T1555.005 | Password Managers | Credential Access |
T1485 | Data Destruction | Impact |
T1542.005 | TFTP Boot | Defense Evasion, Persistence |
T1092 | Communication Through Removable Media | Command and Control |
T1071 | Application Layer Protocol | Command and Control |
T1020.001 | Traffic Duplication | Exfiltration |
T1110 | Brute Force | Credential Access |
T1557 | Adversary-in-the-Middle | Collection, Credential Access |
T1559.001 | Component Object Model | Execution |
T1218.002 | Control Panel | Defense Evasion |
T1553.005 | Mark-of-the-Web Bypass | Defense Evasion |
T1505.003 | Web Shell | Persistence |
T1003.006 | DCSync | Credential Access |
T1543.001 | Launch Agent | Persistence, Privilege Escalation |
T1110.003 | Password Spraying | Credential Access |
T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
T1558 | Steal or Forge Kerberos Tickets | Credential Access |
T1059.001 | PowerShell | Execution |
T1564.007 | VBA Stomping | Defense Evasion |
T1070 | Indicator Removal | Defense Evasion |
T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
T1552 | Unsecured Credentials | Credential Access |
T1068 | Exploitation for Privilege Escalation | Privilege Escalation |