The sub-techniques beta is now live! Read the release blog post for more info.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

ID: M1040
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1173 Dynamic Data Exchange

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.[1][2]

Enterprise T1055 Process Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

References