CM-7: Least Functionality
From NIST's SP800-53:
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
| PR.PT-3 | The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1552.003 | Bash History | Credential Access |
| T1071.004 | DNS | Command and Control |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1136.002 | Domain Account | Persistence |
| T1213.001 | Confluence | Collection |
| T1218.004 | InstallUtil | Defense Evasion |
| T1498 | Network Denial of Service | Impact |
| T1553.004 | Install Root Certificate | Defense Evasion |
| T1036.007 | Double File Extension | Defense Evasion |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1003.002 | Security Account Manager | Credential Access |
| T1552.007 | Container API | Credential Access |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1218.008 | Odbcconf | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1559 | Inter-Process Communication | Execution |
| T1187 | Forced Authentication | Credential Access |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1036 | Masquerading | Defense Evasion |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1047 | Windows Management Instrumentation | Execution |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1071 | Application Layer Protocol | Command and Control |
| T1218.012 | Verclsid | Defense Evasion |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1553.001 | Gatekeeper Bypass | Defense Evasion |
| T1195 | Supply Chain Compromise | Initial Access |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1482 | Domain Trust Discovery | Discovery |
| T1059.005 | Visual Basic | Execution |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1104 | Multi-Stage Channels | Command and Control |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1498.002 | Reflection Amplification | Impact |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1071.003 | Mail Protocols | Command and Control |
| T1106 | Native API | Execution |
| T1136 | Create Account | Persistence |
| T1612 | Build Image on Host | Defense Evasion |
| T1564.002 | Hidden Users | Defense Evasion |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1530 | Data from Cloud Storage | Collection |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |