NIST 800-53 r5 · Controls catalogue · Family SC
SC-44Detonation Chambers
Employ a detonation chamber capability within {{ insert: param, sc-44_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (22)
- T1137 Office Application Startup Persistence
- T1137.001 Office Template Macros Persistence
- T1137.002 Office Test Persistence
- T1137.003 Outlook Forms Persistence
- T1137.004 Outlook Home Page Persistence
- T1137.005 Outlook Rules Persistence
- T1137.006 Add-ins Persistence
- T1203 Exploitation for Client Execution Execution
- T1204 User Execution Execution
- T1204.001 Malicious Link Execution
- T1204.002 Malicious File Execution
- T1204.003 Malicious Image Execution
- T1221 Template Injection Stealth
- T1564.009 Resource Forking Stealth
- T1566 Phishing Initial Access
- T1566.001 Spearphishing Attachment Initial Access
- T1566.002 Spearphishing Link Initial Access
- T1566.003 Spearphishing via Service Initial Access
- T1598 Phishing for Information Reconnaissance
- T1598.001 Spearphishing Service Reconnaissance
- T1598.002 Spearphishing Attachment Reconnaissance
- T1598.003 Spearphishing Link Reconnaissance
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-94 | Improper Control of Generation of Code ('Code Injection') | 6,628 | Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads. |
CWE-434 | Unrestricted Upload of File with Dangerous Type | 4,869 | Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs. |
CWE-502 | Deserialization of Untrusted Data | 3,125 | Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Isolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection. |
CWE-506 | Embedded Malicious Code | 80 | Detonation chambers directly detect and analyze embedded malicious code by executing it in isolation before it reaches production systems. |
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | 61 | Externally controlled class or code selection can be resolved and invoked inside the chamber, surfacing unsafe reflection without system impact. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-34938 | 2.0 | 10.0 | 0.0005 | good |
CVE-2025-59689 KEV | 3.6 | 6.1 | 0.0601 | good |
CVE-2025-52643 | 0.9 | 4.7 | 0.0002 | good |