The sub-techniques beta is now live! Read the release blog post for more info.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

ID: M1049
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1215 Kernel Modules and Extensions

Common tools for detecting Linux rootkits include: rkhunter, chrootkit, although rootkits may be designed to evade certain detection tools.[1][2]

Enterprise T1027 Obfuscated Files or Information

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.

Enterprise T1045 Software Packing

Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.

Enterprise T1193 Spearphishing Attachment

Anti-virus can also automatically quarantine suspicious files.

Enterprise T1194 Spearphishing via Service

Anti-virus can also automatically quarantine suspicious files.

Enterprise T1221 Template Injection

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[3]

References