Skip to content

M1049 Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

Item Value
ID M1049
Version 1.1
Created 11 June 2019
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.006 Kernel Modules and Extensions Common tools for detecting Linux rootkits include: rkhunter 2, chrootkit 3, although rootkits may be designed to evade certain detection tools.
enterprise T1059 Command and Scripting Interpreter Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1059.001 PowerShell Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1059.005 Visual Basic Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1059.006 Python Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1027 Obfuscated Files or Information Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. 4
enterprise T1027.002 Software Packing Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.
enterprise T1566 Phishing Anti-virus can automatically quarantine suspicious files.
enterprise T1566.001 Spearphishing Attachment Anti-virus can also automatically quarantine suspicious files.
enterprise T1566.003 Spearphishing via Service Anti-virus can also automatically quarantine suspicious files.
enterprise T1221 Template Injection Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.1

References

Back to top