Use signatures or heuristics to detect malicious software.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools. |
Enterprise | T1059 | Command and Scripting Interpreter |
Anti-virus can be used to automatically quarantine suspicious files. |
|
.001 | PowerShell |
Anti-virus can be used to automatically quarantine suspicious files. |
||
.005 | Visual Basic |
Anti-virus can be used to automatically quarantine suspicious files. |
||
.006 | Python |
Anti-virus can be used to automatically quarantine suspicious files. |
||
Enterprise | T1564 | Hide Artifacts |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
|
.012 | File/Path Exclusions |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
||
Enterprise | T1036 | Masquerading |
Anti-virus can be used to automatically quarantine suspicious files. |
|
.008 | Masquerade File Type |
Anti-virus can be used to automatically quarantine suspicious files. |
||
Enterprise | T1027 | Obfuscated Files or Information |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [4] |
|
.002 | Software Packing |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
||
.009 | Embedded Payloads |
Anti-virus can be used to automatically detect and quarantine suspicious files. |
||
.010 | Command Obfuscation |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
||
.012 | LNK Icon Smuggling |
Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
||
.013 | Encrypted/Encoded File |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
||
Enterprise | T1566 | Phishing |
Anti-virus can automatically quarantine suspicious files. |
|
.001 | Spearphishing Attachment |
Anti-virus can also automatically quarantine suspicious files. |
||
.003 | Spearphishing via Service |
Anti-virus can also automatically quarantine suspicious files. |
||
Enterprise | T1080 | Taint Shared Content |
Anti-virus can be used to automatically quarantine suspicious files.[5] |
|
Enterprise | T1221 | Template Injection |
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[6] |