ATTACK-T1674Active

Input Injection

Statement

Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).

For example, adversaries have used tooling that monitors the Windows message loop to detect when a user visits bank-specific URLs. If detected, the tool then simulates keystrokes to open the developer console or select the address bar, pastes malicious JavaScript from the clipboard, and executes it - enabling manipulation of content within the browser, such as replacing bank account numbers during transactions.(Citation: BleepingComputer BackSwap)(Citation: welivesecurity BackSwap)

Adversaries have also used malicious USB devices to emulate keystrokes that launch PowerShell, leading to the download and execution of malware from adversary-controlled servers.(Citation: BleepingComputer USB)

Location

Tactic: Execution

Technique Details

Identifier: ATTACK-T1674
ATT&CK Page: View on MITRE

Tactics

Execution

Platforms

WindowsmacOSLinux

Detection

Detection Strategy for Input Injection

Mitigations

Limit Hardware Installation: Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices. This mitigation can be implemented through the following measures:

Disable USB Ports and Hardware Installation Policies:

Use Group Policy Objects (GPO) to disable USB mass storage devices:
- Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access.
- Deny write and read access to USB devices.
Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.

Deploy Endpoint Protection and Device Control Solutions:

Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware.
Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.

Harden BIOS/UEFI and System Firmware:

Set strong passwords for BIOS/UEFI access.
Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.

Restrict Peripheral Devices and Drivers:

Use Windows Device Manager Policies to block installation of unapproved drivers.
Monitor hardware installation attempts through endpoint monitoring tools.

Disable Bluetooth and Wireless Hardware:

Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems.
Restrict hardware pairing to approved devices only.

Logging and Monitoring:

Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager).
Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.

Tools for Implementation

USB and Device Control:

Microsoft Group Policy Objects (GPO)
Microsoft Defender for Endpoint
Symantec Endpoint Protection
McAfee Device Control

Endpoint Monitoring:

EDRs
OSSEC (open-source host-based IDS)

Hardware Whitelisting:

BitLocker for external drives (Windows)
Windows Device Installation Policies
Device Control

BIOS/UEFI Security:

Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start

Execution Prevention: Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml")

Script Blocking:

Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., Set-ExecutionPolicy AllSigned)

Executable Blocking:

Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.

Dynamic Analysis Prevention:

Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

No cross-framework mappings available

← Back to Execution

Statement

Disable USB Ports and Hardware Installation Policies:

Use Group Policy Objects (GPO) to disable USB mass storage devices:
- Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access.
- Deny write and read access to USB devices.
Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.

Deploy Endpoint Protection and Device Control Solutions:

Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware.
Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.

Harden BIOS/UEFI and System Firmware:

Set strong passwords for BIOS/UEFI access.
Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.

Restrict Peripheral Devices and Drivers:

Use Windows Device Manager Policies to block installation of unapproved drivers.
Monitor hardware installation attempts through endpoint monitoring tools.

Disable Bluetooth and Wireless Hardware:

Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems.
Restrict hardware pairing to approved devices only.

Logging and Monitoring:

Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager).
Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.

Tools for Implementation

USB and Device Control:

Microsoft Group Policy Objects (GPO)
Microsoft Defender for Endpoint
Symantec Endpoint Protection
McAfee Device Control

Endpoint Monitoring:

EDRs
OSSEC (open-source host-based IDS)

Hardware Whitelisting:

BitLocker for external drives (Windows)
Windows Device Installation Policies
Device Control

BIOS/UEFI Security:

Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start

Application Control:

Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml")

Script Blocking:

Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., Set-ExecutionPolicy AllSigned)

Executable Blocking:

Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.

Dynamic Analysis Prevention:

Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Input Injection

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0

Input Injection

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0