Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools. |
| Enterprise | T1059 | Command and Scripting Interpreter |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| .001 | PowerShell |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .005 | Visual Basic |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .006 | Python |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1564 | Hide Artifacts |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
|
| .012 | File/Path Exclusions |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
||
| Enterprise | T1036 | Masquerading |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| .008 | Masquerade File Type |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1027 | Obfuscated Files or Information |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [4] |
|
| .002 | Software Packing |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
||
| .009 | Embedded Payloads |
Anti-virus can be used to automatically detect and quarantine suspicious files. |
||
| .010 | Command Obfuscation |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
||
| .012 | LNK Icon Smuggling |
Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
||
| .013 | Encrypted/Encoded File |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
||
| .014 | Polymorphic Code |
Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. |
||
| Enterprise | T1566 | Phishing |
Anti-virus can automatically quarantine suspicious files. |
|
| .001 | Spearphishing Attachment |
Anti-virus can also automatically quarantine suspicious files. |
||
| .003 | Spearphishing via Service |
Anti-virus can also automatically quarantine suspicious files. |
||
| Enterprise | T1080 | Taint Shared Content |
Anti-virus can be used to automatically quarantine suspicious files.[5] |
|
| Enterprise | T1221 | Template Injection |
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[6] |
|
References
- Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.
- Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
- Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.