Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

ID: M1049
Version: 1.1
Created: 11 June 2019
Last Modified: 31 March 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools.

Enterprise T1059 Command and Scripting Interpreter

Anti-virus can be used to automatically quarantine suspicious files.

.001 PowerShell

Anti-virus can be used to automatically quarantine suspicious files.

.005 Visual Basic

Anti-virus can be used to automatically quarantine suspicious files.

.006 Python

Anti-virus can be used to automatically quarantine suspicious files.

Enterprise T1564 Hide Artifacts

Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3]

.012 File/Path Exclusions

Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3]

Enterprise T1036 Masquerading

Anti-virus can be used to automatically quarantine suspicious files.

.008 Masquerade File Type

Anti-virus can be used to automatically quarantine suspicious files.

Enterprise T1027 Obfuscated Files or Information

Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [4]

.002 Software Packing

Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.

.009 Embedded Payloads

Anti-virus can be used to automatically detect and quarantine suspicious files.

.010 Command Obfuscation

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.

.012 LNK Icon Smuggling

Use signatures or heuristics to detect malicious LNK and subsequently downloaded files.

.013 Encrypted/Encoded File

Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation.

Enterprise T1566 Phishing

Anti-virus can automatically quarantine suspicious files.

.001 Spearphishing Attachment

Anti-virus can also automatically quarantine suspicious files.

.003 Spearphishing via Service

Anti-virus can also automatically quarantine suspicious files.

Enterprise T1080 Taint Shared Content

Anti-virus can be used to automatically quarantine suspicious files.[5]

Enterprise T1221 Template Injection

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[6]

References