Step 1: Via GPO, enable AppLocker (Computer Configuration → Policies → Windows Settings → Security Settings → Application Control Policies → AppLocker) and define a rule collection for “Executable rules” that only allows execution of binaries located in specific whitelisted paths (for example: C:\Program Files\TrustedMFT\*, C:\Windows\System32\*). All other paths (e.g., %USERPROFILE%\Downloads) should have “Deny” rules for EXE/DLL.
Step 2: Configure Software Restriction Policies (Computer Configuration → Policies → Windows Settings → Security Settings → Software Restriction Policies) to set the “Designated File Types” to include .aspx, .dll, .exe and create a new “Hash Rule” or “Path Rule” to block the unwanted web‑shell filename (e.g., human2.aspx) or untrusted folders. Enforce “Disallowed” action.
Mitigation ID: M1042 – “Application Hardening” Implementation via GPO
Step 1: Use GPO (Computer Configuration → Administrative Templates → System → Filesystem) to enable “Prevent access to drives from My Computer” for all drives except system and program files, reducing ability of web‑shells to drop payloads on arbitrary drives. Set policy to “Enabled” and choose “Restrict all drives” except C: where approved software resides.
Step 2: Configure a GPO to disable Windows Script Host (Computer Configuration → Administrative Templates → Windows Components → Windows Script Host) by enabling the “Prevent access to the Windows Script Host” policy, thus blocking .vbs/.js/.wsf from executing on machines that should not run scripts.
Mitigation ID: M1026 – “Account Use Policies & Controls” Implementation via Intune
Step 1: In Intune, create a device configuration profile (Platform: Windows 10/11 → Profile type: Administrative Templates) and set Interactive logon: Require Smart Card to “Enabled” for privileged accounts (e.g., domain admins, service accounts used by third‑party vendors). Restrict login to only those vetted accounts.
Step 2: In Intune, deploy a configuration profile under Endpoint Security → Local Users and Groups that locks down membership of privileged local groups (Administrators, Remote Desktop Users) such that vendor/service accounts are explicitly removed and only dedicated service accounts exist. For example, remove all “VendorSvcMFT” accounts from local Admin groups and restrict to only “SvcMFT‑AppPool”.
Mitigation ID: M1033 – “Restricted Web Shell Access” Implementation via GPO
Step 1: Use GPO to enable Windows Defender Application Control (WDAC) (Computer Configuration → Administrative Templates → System → Device Guard) and configure a rule set that prohibits execution of ASPX files under the application directory of the MFT service from user‑writable paths. Create a policy to block any .aspx file outside of the legitimate path C:\Program Files\MOVEit\Web\.
Step 2: Via GPO, configure IIS (if the MFT solution runs on IIS) by setting the web service to disallow script execution in directories where uploads land (IIS → Default Web Site → UploadDir → Handler Mappings → remove Script Map for *.aspx). Enforce “Deny” for script execution in upload folders.
Step 1: Create an Intune endpoint firewall policy (Endpoint Security → Firewall) restricting inbound/outbound network flows so that the MFT server is isolated to only required ports. For example, only allow inbound HTTPS (TCP 443) from approved vendor IPs; deny all SMB (TCP 445), RDP (TCP 3389) to that server from general network.
Step 2: In Intune, deploy a network isolation profile (Endpoint Security → Network isolation) and label the MFT application server as a “server” and apply network boundaries such that other endpoints cannot initiate SMB or RDP to it—only the dedicated service layer can.
Mitigation ID: M1049 – “Credential Access Protection” Implementation via GPO
Step 1: Via GPO (Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy) enable “Audit Credential Validation” and “Audit Kerberos Service Ticket Operations” for both success and failure. This enables detection of unauthorized use of service accounts (T1078 Valid Accounts).
Step 2: Use GPO (Computer Configuration → Policies → Administrative Templates → System → KDC) to enforce the “Enforce user logon restrictions” and require “Smart card is required for interactive logon” for privileged accounts. Additionally, set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny all domain accounts” except explicitly allowed service accounts, thus limiting pass‑the‑hash and credential reuse.
