Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

ID: M1040
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1559 Inter-Process Communication

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.[1][2]

.002 Dynamic Data Exchange

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.[1][2]

Enterprise T1055 Process Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.001 Dynamic-link Library Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.002 Portable Executable Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.012 Process Hollowing

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.003 Thread Execution Hijacking

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.004 Asynchronous Procedure Call

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.005 Thread Local Storage

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.008 Ptrace System Calls

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.009 Proc Memory

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.011 Extra Window Memory Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.013 Process Doppelgänging

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

.014 VDSO Hijacking

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

References