M1049 Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.
| Item | Value |
|---|---|
| ID | M1049 |
| Version | 1.1 |
| Created | 11 June 2019 |
| Last Modified | 31 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.006 | Kernel Modules and Extensions | Common tools for detecting Linux rootkits include: rkhunter 3, chrootkit 4, although rootkits may be designed to evade certain detection tools. |
| enterprise | T1059 | Command and Scripting Interpreter | Anti-virus can be used to automatically quarantine suspicious files. |
| enterprise | T1059.001 | PowerShell | Anti-virus can be used to automatically quarantine suspicious files. |
| enterprise | T1059.005 | Visual Basic | Anti-virus can be used to automatically quarantine suspicious files. |
| enterprise | T1059.006 | Python | Anti-virus can be used to automatically quarantine suspicious files. |
| enterprise | T1036 | Masquerading | Anti-virus can be used to automatically quarantine suspicious files. |
| enterprise | T1036.008 | Masquerade File Type | Anti-virus can be used to automatically quarantine suspicious files. |
| enterprise | T1027 | Obfuscated Files or Information | Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. 2 |
| enterprise | T1027.002 | Software Packing | Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
| enterprise | T1027.009 | Embedded Payloads | Anti-virus can be used to automatically detect and quarantine suspicious files. |
| enterprise | T1027.010 | Command Obfuscation | Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
| enterprise | T1566 | Phishing | Anti-virus can automatically quarantine suspicious files. |
| enterprise | T1566.001 | Spearphishing Attachment | Anti-virus can also automatically quarantine suspicious files. |
| enterprise | T1566.003 | Spearphishing via Service | Anti-virus can also automatically quarantine suspicious files. |
| enterprise | T1221 | Template Injection | Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.1 |
References
-
Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018. ↩
-
Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018. ↩
-
Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018. ↩
-
Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018. ↩