Skip to content

M1040 Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Item Value
ID M1040
Version 1.0
Created 11 June 2019
Last Modified 11 June 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content 1.
enterprise T1059.005 Visual Basic On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content 1.
enterprise T1059.007 JavaScript On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content 1.
enterprise T1543 Create or Modify System Process On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.5 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.6
enterprise T1543.003 Windows Service On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.5 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.6
enterprise T1486 Data Encrypted for Impact On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. 1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.1
enterprise T1574 Hijack Execution Flow Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
enterprise T1574.013 KernelCallbackTable Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
enterprise T1559 Inter-Process Communication On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.23
enterprise T1559.002 Dynamic Data Exchange On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.23
enterprise T1036 Masquerading Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).
enterprise T1036.008 Masquerade File Type Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures.
enterprise T1106 Native API On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. 1
enterprise T1027 Obfuscated Files or Information On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. 1
enterprise T1027.009 Embedded Payloads On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.1
enterprise T1027.010 Command Obfuscation On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.4
enterprise T1137 Office Application Startup On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1
enterprise T1137.001 Office Template Macros On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1
enterprise T1137.002 Office Test On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1
enterprise T1137.003 Outlook Forms On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1
enterprise T1137.004 Outlook Home Page On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1
enterprise T1137.005 Outlook Rules On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1
enterprise T1137.006 Add-ins On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 1
enterprise T1003 OS Credential Dumping On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 1
enterprise T1003.001 LSASS Memory On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 1
enterprise T1055 Process Injection Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. 1
enterprise T1055.001 Dynamic-link Library Injection Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.002 Portable Executable Injection Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.003 Thread Execution Hijacking Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.004 Asynchronous Procedure Call Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.005 Thread Local Storage Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.008 Ptrace System Calls Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.009 Proc Memory Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.011 Extra Window Memory Injection Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.012 Process Hollowing Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.013 Process Doppelgänging Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.014 VDSO Hijacking Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1055.015 ListPlanting Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
enterprise T1091 Replication Through Removable Media On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. 1
enterprise T1216 System Script Proxy Execution -
enterprise T1216.001 PubPrn On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.7
enterprise T1569 System Services On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. 1
enterprise T1569.002 Service Execution On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. 1
enterprise T1204 User Execution On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. 1
enterprise T1204.002 Malicious File On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. 1
enterprise T1047 Windows Management Instrumentation On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. 1

References