The scenario describes adversaries using "Living-off-the-Land" (LotL) techniques, where they leverage legitimate, native system tools (e.g., PowerShell, WMI) for malicious activities like privilege escalation. The most direct and effective control against this is application control. By implementing policies to block the execution of untrusted applications or, more granularly, restricting how trusted applications can be run (e.g., preventing Office applications from spawning PowerShell), an organization can directly disrupt the adversary's ability to use these native tools for malicious purposes. This approach, often implemented via application allowlisting, specifically targets the execution of unauthorized code, which is the core of the described threat.

A. Disabling administrative accounts is operationally infeasible, as these accounts are required for legitimate system administration and maintenance tasks.

B. MFA is an authentication control that is most effective at preventing unauthorized access, not at stopping post-compromise activities like local privilege escalation.

C. While system hardening is a valuable practice, adversaries are using core, necessary tools, which typically cannot be disabled or removed without impacting system functionality.

1. MITRE ATT&CK® Framework: The technique T1548

"Abuse Elevation Control Mechanism

" describes adversaries using system features to elevate privileges. The primary listed mitigation is M1048

"Application Control

" which states: "Use application control to prevent the execution of malicious commands and scripts that may be used to abuse elevation control mechanisms." This directly aligns with blocking the execution of untrusted applications. (Source: MITRE ATT&CK

Technique T1548

Mitigation M1048).

2. NIST Special Publication 800-53 Rev. 5

Security and Privacy Controls for Information Systems and Organizations: Control CM-7

"Least Functionality

" advocates for configuring systems to provide only essential capabilities. A key implementation of this principle is "the use of application allowlists... to ensure that only authorized software is allowed to execute." This control directly mitigates the threat of legitimate tools being used for unintended

malicious purposes. (Source: NIST SP 800-53 Rev. 5

Control: CM-7

Page 133).

3. Cybersecurity and Infrastructure Security Agency (CISA): In guidance on protecting against malicious activity

CISA consistently recommends application control as a high-priority defense. For example

in the "Joint Cybersecurity Advisory on Russian State-Sponsored Cyber Actors

" CISA recommends organizations "Implement application allowlisting" as a mitigation against actors who leverage legitimate remote access tools and other LOLbins. (Source: CISA Alert AA22-110A

Mitigations Section).