M1040 Behavior Prevention on Endpoint
Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:
Suspicious Process Behavior:
- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
- Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access:
- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
- Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls:
- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
- Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like
OpenProcessandWriteProcessMemoryand terminates the offending process.
Exploit Prevention:
- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
- Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
| Item | Value |
|---|---|
| ID | M1040 |
| Version | 1.1 |
| Created | 11 June 2019 |
| Last Modified | 10 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content 3. |
| enterprise | T1059.005 | Visual Basic | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content 3. |
| enterprise | T1059.007 | JavaScript | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content 3. |
| enterprise | T1543 | Create or Modify System Process | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.1 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.2 |
| enterprise | T1543.003 | Windows Service | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.1 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.2 |
| enterprise | T1486 | Data Encrypted for Impact | On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware.3 In AWS environments, create an IAM policy to restrict or block the use of SSE-C on S3 buckets.8 |
| enterprise | T1006 | Direct Volume Access | Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services. |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.3 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.014 | Extended Attributes | During artifact review, packaging, or deployment stages, scan extended attributes alongside file contents to detect hidden payloads, obfuscated data, or suspicious attribute keys that may indicate malicious behavior. |
| enterprise | T1574 | Hijack Execution Flow | Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
| enterprise | T1574.013 | KernelCallbackTable | Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
| enterprise | T1559 | Inter-Process Communication | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.56 |
| enterprise | T1559.002 | Dynamic Data Exchange | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.56 |
| enterprise | T1036 | Masquerading | Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures). |
| enterprise | T1036.008 | Masquerade File Type | Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures. |
| enterprise | T1106 | Native API | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. 3 |
| enterprise | T1027 | Obfuscated Files or Information | On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. 3 |
| enterprise | T1027.009 | Embedded Payloads | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.3 |
| enterprise | T1027.010 | Command Obfuscation | On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.4 |
| enterprise | T1027.012 | LNK Icon Smuggling | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads. |
| enterprise | T1027.013 | Encrypted/Encoded File | On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.9 |
| enterprise | T1027.014 | Polymorphic Code | On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads |
| enterprise | T1137 | Office Application Startup | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| enterprise | T1137.001 | Office Template Macros | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| enterprise | T1137.002 | Office Test | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| enterprise | T1137.003 | Outlook Forms | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| enterprise | T1137.004 | Outlook Home Page | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| enterprise | T1137.005 | Outlook Rules | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| enterprise | T1137.006 | Add-ins | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| enterprise | T1003 | OS Credential Dumping | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 3 |
| enterprise | T1003.001 | LSASS Memory | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 3 |
| enterprise | T1055 | Process Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. 3 |
| enterprise | T1055.001 | Dynamic-link Library Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.002 | Portable Executable Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.003 | Thread Execution Hijacking | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.004 | Asynchronous Procedure Call | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.005 | Thread Local Storage | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.008 | Ptrace System Calls | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.009 | Proc Memory | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.011 | Extra Window Memory Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.012 | Process Hollowing | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.013 | Process Doppelgänging | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.014 | VDSO Hijacking | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1055.015 | ListPlanting | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| enterprise | T1091 | Replication Through Removable Media | On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. 3 |
| enterprise | T1216 | System Script Proxy Execution | - |
| enterprise | T1216.001 | PubPrn | On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.7 |
| enterprise | T1569 | System Services | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. 3 |
| enterprise | T1569.002 | Service Execution | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. 3 |
| enterprise | T1204 | User Execution | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. 3 |
| enterprise | T1204.002 | Malicious File | On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. 3 |
| enterprise | T1047 | Windows Management Instrumentation | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. 3 |
References
-
Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022. ↩↩
-
Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022. ↩↩
-
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023. ↩
-
Brower, N. & D’Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018. ↩↩
-
Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018. ↩↩
-
Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025. ↩
-
Microsoft. (2024, March 4). Attack surface reduction rules reference. Retrieved March 29, 2024. ↩