Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:
Signature-Based Detection:
Heuristic-Based Detection:
Behavioral Detection (Behavior Prevention):
Real-Time Scanning:
Cloud-Assisted Threat Intelligence:
Tools for Implementation:
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools. |
Enterprise | T1059 | Command and Scripting Interpreter |
Anti-virus can be used to automatically quarantine suspicious files. |
|
.001 | PowerShell |
Anti-virus can be used to automatically quarantine suspicious files. |
||
.005 | Visual Basic |
Anti-virus can be used to automatically quarantine suspicious files. |
||
.006 | Python |
Anti-virus can be used to automatically quarantine suspicious files. |
||
Enterprise | T1564 | Hide Artifacts |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
|
.012 | File/Path Exclusions |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
||
Enterprise | T1036 | Masquerading |
Anti-virus can be used to automatically quarantine suspicious files. |
|
.008 | Masquerade File Type |
Anti-virus can be used to automatically quarantine suspicious files. |
||
Enterprise | T1027 | Obfuscated Files or Information |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [4] |
|
.002 | Software Packing |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
||
.009 | Embedded Payloads |
Anti-virus can be used to automatically detect and quarantine suspicious files. |
||
.010 | Command Obfuscation |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
||
.012 | LNK Icon Smuggling |
Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
||
.013 | Encrypted/Encoded File |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
||
.014 | Polymorphic Code |
Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. |
||
.015 | Compression |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives. |
||
.016 | Junk Code Insertion |
Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.[5] |
||
Enterprise | T1566 | Phishing |
Anti-virus can automatically quarantine suspicious files. |
|
.001 | Spearphishing Attachment |
Anti-virus can also automatically quarantine suspicious files. |
||
.003 | Spearphishing via Service |
Anti-virus can also automatically quarantine suspicious files. |
||
Enterprise | T1080 | Taint Shared Content |
Anti-virus can be used to automatically quarantine suspicious files.[6] |
|
Enterprise | T1221 | Template Injection |
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[7] |