M1040 Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
| Item | Value |
|---|---|
| ID | M1040 |
| Version | 1.0 |
| Created | 11 June 2019 |
| Last Modified | 11 June 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content 1. |
| enterprise | T1059.005 | Visual Basic | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content 1. |
| enterprise | T1059.007 | JavaScript | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content 1. |
| enterprise | T1543 | Create or Modify System Process | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.5 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.6 |
| enterprise | T1543.003 | Windows Service | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.5 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.6 |
| enterprise | T1486 | Data Encrypted for Impact | On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. 1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.1 |
| enterprise | T1574 | Hijack Execution Flow | Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
| enterprise | T1574.013 | KernelCallbackTable | Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
| enterprise | T1559 | Inter-Process Communication | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.23 |
| enterprise | T1559.002 | Dynamic Data Exchange | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.23 |
| enterprise | T1036 | Masquerading | Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures). |
| enterprise | T1036.008 | Masquerade File Type | Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures. |
| enterprise | T1106 | Native API | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. 1 |
| enterprise | T1027 | Obfuscated Files or Information | On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. 1 |
| enterprise | T1027.009 | Embedded Payloads | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.1 |
| enterprise | T1027.010 | Command Obfuscation | On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.4 |
| enterprise | T1137 | Office Application Startup | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1 |
| enterprise | T1137.001 | Office Template Macros | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1 |
| enterprise | T1137.002 | Office Test | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1 |
| enterprise | T1137.003 | Outlook Forms | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1 |
| enterprise | T1137.004 | Outlook Home Page | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1 |
| enterprise | T1137.005 | Outlook Rules | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1 |
| enterprise | T1137.006 | Add-ins | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1 |
| enterprise | T1003 | OS Credential Dumping | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 1 |
| enterprise | T1003.001 | LSASS Memory | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 1 |
| enterprise | T1055 | Process Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. 1 |
| enterprise | T1055.001 | Dynamic-link Library Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.002 | Portable Executable Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.003 | Thread Execution Hijacking | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.004 | Asynchronous Procedure Call | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.005 | Thread Local Storage | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.008 | Ptrace System Calls | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.009 | Proc Memory | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.011 | Extra Window Memory Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.012 | Process Hollowing | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.013 | Process Doppelgänging | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.014 | VDSO Hijacking | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.015 | ListPlanting | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1091 | Replication Through Removable Media | On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. 1 |
| enterprise | T1216 | System Script Proxy Execution | - |
| enterprise | T1216.001 | PubPrn | On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.7 |
| enterprise | T1569 | System Services | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. 1 |
| enterprise | T1569.002 | Service Execution | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. 1 |
| enterprise | T1204 | User Execution | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. 1 |
| enterprise | T1204.002 | Malicious File | On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. 1 |
| enterprise | T1047 | Windows Management Instrumentation | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. 1 |
References
-
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Brower, N. & D’Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018. ↩↩
-
Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018. ↩↩
-
Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023. ↩
-
Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022. ↩↩
-
Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022. ↩↩