CM-7: Least Functionality

From NIST's SP800-53:

a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

SP800-53 Control Mapped to NIST Cyber Security Framework

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Control ID	Description
PR.IP-1	A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
PR.PT-3	The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against.

ATT&CK ID	Title	Associated Tactics
T1552.003	Bash History	Credential Access
T1071.004	DNS	Command and Control
T1048.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Exfiltration
T1133	External Remote Services	Initial Access, Persistence
T1136.002	Domain Account	Persistence
T1213.001	Confluence	Collection
T1218.004	InstallUtil	Defense Evasion
T1498	Network Denial of Service	Impact
T1553.004	Install Root Certificate	Defense Evasion
T1036.007	Double File Extension	Defense Evasion
T1557.002	ARP Cache Poisoning	Collection, Credential Access
T1559.002	Dynamic Data Exchange	Execution
T1003.002	Security Account Manager	Credential Access
T1552.007	Container API	Credential Access
T1562.006	Indicator Blocking	Defense Evasion
T1557	Adversary-in-the-Middle	Collection, Credential Access
T1218.008	Odbcconf	Defense Evasion
T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
T1559	Inter-Process Communication	Execution
T1187	Forced Authentication	Credential Access
T1610	Deploy Container	Defense Evasion, Execution
T1036	Masquerading	Defense Evasion
T1011.001	Exfiltration Over Bluetooth	Exfiltration
T1047	Windows Management Instrumentation	Execution
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1098.001	Additional Cloud Credentials	Persistence, Privilege Escalation
T1003	OS Credential Dumping	Credential Access
T1071	Application Layer Protocol	Command and Control
T1218.012	Verclsid	Defense Evasion
T1098.004	SSH Authorized Keys	Persistence, Privilege Escalation
T1553.001	Gatekeeper Bypass	Defense Evasion
T1195	Supply Chain Compromise	Initial Access
T1197	BITS Jobs	Defense Evasion, Persistence
T1095	Non-Application Layer Protocol	Command and Control
T1482	Domain Trust Discovery	Discovery
T1059.005	Visual Basic	Execution
T1602.002	Network Device Configuration Dump	Collection
T1104	Multi-Stage Channels	Command and Control
T1098	Account Manipulation	Persistence, Privilege Escalation
T1498.002	Reflection Amplification	Impact
T1562.003	Impair Command History Logging	Defense Evasion
T1071.003	Mail Protocols	Command and Control
T1106	Native API	Execution
T1136	Create Account	Persistence
T1612	Build Image on Host	Defense Evasion
T1564.002	Hidden Users	Defense Evasion
T1563.001	SSH Hijacking	Lateral Movement
T1102.001	Dead Drop Resolver	Command and Control
T1530	Data from Cloud Storage	Collection
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1102.003	One-Way Communication	Command and Control
T1218.003	CMSTP	Defense Evasion
T1090.003	Multi-hop Proxy	Command and Control
T1219	Remote Access Software	Command and Control
T1573.002	Asymmetric Cryptography	Command and Control
T1555.004	Windows Credential Manager	Credential Access
T1553.005	Mark-of-the-Web Bypass	Defense Evasion
T1218.013	Mavinject	Defense Evasion
T1565.003	Runtime Data Manipulation	Impact
T1546.008	Accessibility Features	Persistence, Privilege Escalation
T1546.010	AppInit DLLs	Persistence, Privilege Escalation
T1037	Boot or Logon Initialization Scripts	Persistence, Privilege Escalation
T1037.001	Logon Script (Windows)	Persistence, Privilege Escalation
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	Collection, Credential Access
T1602	Data from Configuration Repository	Collection
T1080	Taint Shared Content	Lateral Movement
T1216.001	PubPrn	Defense Evasion
T1221	Template Injection	Defense Evasion
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Exfiltration
T1563.002	RDP Hijacking	Lateral Movement
T1574.012	COR_PROFILER	Defense Evasion, Persistence, Privilege Escalation
T1003.005	Cached Domain Credentials	Credential Access
T1052.001	Exfiltration over USB	Exfiltration
T1059.007	JavaScript	Execution
T1499.003	Application Exhaustion Flood	Impact
T1574.006	Dynamic Linker Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1599	Network Boundary Bridging	Defense Evasion
T1129	Shared Modules	Execution
T1499.004	Application or System Exploitation	Impact
T1570	Lateral Tool Transfer	Lateral Movement
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1542.005	TFTP Boot	Defense Evasion, Persistence
T1484	Domain Policy Modification	Defense Evasion, Privilege Escalation
T1112	Modify Registry	Defense Evasion
T1569.002	Service Execution	Execution
T1542.004	ROMMONkit	Defense Evasion, Persistence
T1003.001	LSASS Memory	Credential Access
T1195.002	Compromise Software Supply Chain	Initial Access
T1087	Account Discovery	Discovery
T1647	Plist File Modification	Defense Evasion
T1205.001	Port Knocking	Command and Control, Defense Evasion, Persistence
T1573	Encrypted Channel	Command and Control
T1059	Command and Scripting Interpreter	Execution
T1499	Endpoint Denial of Service	Impact
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1087.002	Domain Account	Discovery
T1490	Inhibit System Recovery	Impact
T1569	System Services	Execution
T1105	Ingress Tool Transfer	Command and Control
T1199	Trusted Relationship	Initial Access
T1563	Remote Service Session Hijacking	Lateral Movement
T1092	Communication Through Removable Media	Command and Control
T1553.003	SIP and Trust Provider Hijacking	Defense Evasion
T1204.001	Malicious Link	Execution
T1546.006	LC_LOAD_DYLIB Addition	Persistence, Privilege Escalation
T1574.007	Path Interception by PATH Environment Variable	Defense Evasion, Persistence, Privilege Escalation
T1613	Container and Resource Discovery	Discovery
T1525	Implant Internal Image	Persistence
T1218.007	Msiexec	Defense Evasion
T1546.002	Screensaver	Persistence, Privilege Escalation
T1499.002	Service Exhaustion Flood	Impact
T1564.008	Email Hiding Rules	Defense Evasion
T1548.003	Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
T1021.003	Distributed Component Object Model	Lateral Movement
T1505.004	IIS Components	Persistence
T1218.002	Control Panel	Defense Evasion
T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration
T1556.002	Password Filter DLL	Credential Access, Defense Evasion, Persistence
T1557.003	DHCP Spoofing	Collection, Credential Access
T1135	Network Share Discovery	Discovery
T1008	Fallback Channels	Command and Control
T1609	Container Administration Command	Execution
T1553	Subvert Trust Controls	Defense Evasion
T1564.006	Run Virtual Instance	Defense Evasion
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1218.009	Regsvcs/Regasm	Defense Evasion
T1562.002	Disable Windows Event Logging	Defense Evasion
T1071.002	File Transfer Protocols	Command and Control
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1090.002	External Proxy	Command and Control
T1204.003	Malicious Image	Execution
T1648	Serverless Execution	Execution
T1204	User Execution	Execution
T1090	Proxy	Command and Control
T1574.001	DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1218.005	Mshta	Defense Evasion
T1102	Web Service	Command and Control
T1601.002	Downgrade System Image	Defense Evasion
T1547.004	Winlogon Helper DLL	Persistence, Privilege Escalation
T1489	Service Stop	Impact
T1052	Exfiltration Over Physical Medium	Exfiltration
T1602.001	SNMP (MIB Dump)	Collection
T1565	Data Manipulation	Impact
T1021.001	Remote Desktop Protocol	Lateral Movement
T1072	Software Deployment Tools	Execution, Lateral Movement
T1218.001	Compiled HTML File	Defense Evasion
T1562.001	Disable or Modify Tools	Defense Evasion
T1053.002	At	Execution, Persistence, Privilege Escalation
T1573.001	Symmetric Cryptography	Command and Control
T1572	Protocol Tunneling	Command and Control
T1021.006	Windows Remote Management	Lateral Movement
T1216	System Script Proxy Execution	Defense Evasion
T1564.003	Hidden Window	Defense Evasion
T1218.014	MMC	Defense Evasion
T1552.005	Cloud Instance Metadata API	Credential Access
T1548.001	Setuid and Setgid	Defense Evasion, Privilege Escalation
T1218	System Binary Proxy Execution	Defense Evasion
T1559.003	XPC Services	Execution
T1574.009	Path Interception by Unquoted Path	Defense Evasion, Persistence, Privilege Escalation
T1190	Exploit Public-Facing Application	Initial Access
T1011	Exfiltration Over Other Network Medium	Exfiltration
T1220	XSL Script Processing	Defense Evasion
T1553.006	Code Signing Policy Modification	Defense Evasion
T1071.001	Web Protocols	Command and Control
T1601	Modify System Image	Defense Evasion
T1562	Impair Defenses	Defense Evasion
T1021.002	SMB/Windows Admin Shares	Lateral Movement
T1601.001	Patch System Image	Defense Evasion
T1046	Network Service Discovery	Discovery
T1090.001	Internal Proxy	Command and Control
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1498.001	Direct Network Flood	Impact
T1562.009	Safe Mode Boot	Defense Evasion
T1204.002	Malicious File	Execution
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1021.005	VNC	Lateral Movement
T1546.009	AppCert DLLs	Persistence, Privilege Escalation
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1552	Unsecured Credentials	Credential Access
T1102.002	Bidirectional Communication	Command and Control
T1127	Trusted Developer Utilities Proxy Execution	Defense Evasion
T1548.004	Elevated Execution with Prompt	Defense Evasion, Privilege Escalation
T1136.003	Cloud Account	Persistence
T1176	Browser Extensions	Persistence
T1205	Traffic Signaling	Command and Control, Defense Evasion, Persistence
T1599.001	Network Address Translation Traversal	Defense Evasion
T1087.001	Local Account	Discovery
T1547.007	Re-opened Applications	Persistence, Privilege Escalation
T1622	Debugger Evasion	Defense Evasion, Discovery
T1537	Transfer Data to Cloud Account	Exfiltration
T1547.006	Kernel Modules and Extensions	Persistence, Privilege Escalation
T1564.009	Resource Forking	Defense Evasion
T1574.008	Path Interception by Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1213.002	Sharepoint	Collection
T1213	Data from Information Repositories	Collection
T1571	Non-Standard Port	Command and Control
T1611	Escape to Host	Privilege Escalation
T1195.001	Compromise Software Dependencies and Development Tools	Initial Access
T1499.001	OS Exhaustion Flood	Impact
T1210	Exploitation of Remote Services	Lateral Movement