Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. [1] |
|
| Enterprise | T1546 | .003 | 事件触发执行: Windows Management Instrumentation Event Subscription |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.[1] |
| Enterprise | T1036 | 伪装 |
Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures). |
|
| .008 | Masquerade File Type |
Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures. |
||
| Enterprise | T1543 | 创建或修改系统进程 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.[2] On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.[3] |
|
| .003 | Windows Service |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.[2] On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.[3] |
||
| Enterprise | T1137 | 办公应用启动 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [1] |
|
| .001 | Office Template Macros |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [1] |
||
| .002 | Office Test |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [1] |
||
| .003 | Outlook Forms |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [1] |
||
| .004 | Outlook Home Page |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [1] |
||
| .005 | Outlook Rules |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [1] |
||
| .006 | Add-ins |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [1] |
||
| Enterprise | T1574 | 劫持执行流 |
Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
|
| .013 | KernelCallbackTable |
Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
||
| Enterprise | T1059 | 命令与脚本解释器 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content [1]. |
|
| .005 | Visual Basic |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content [1]. |
||
| .007 | JavaScript |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content [1]. |
||
| Enterprise | T1003 | 操作系统凭证转储 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. [1] |
|
| .001 | LSASS Memory |
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. [1] |
||
| Enterprise | T1486 | 数据加密以实现影响 |
On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. [1] |
|
| Enterprise | T1106 | 本机API |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. [1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. [1] |
|
| .009 | Embedded Payloads |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.[1] |
||
| .010 | Command Obfuscation |
On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.[4] |
||
| .012 | LNK Icon Smuggling |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads. |
||
| .013 | Encrypted/Encoded File |
On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.[5] Security tools should be configured to analyze the encoding properties of files and detect anomalies that deviate from standard encoding practices. |
||
| .014 | Polymorphic Code |
On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads |
||
| Enterprise | T1204 | 用户执行 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. [1] |
|
| .002 | Malicious File |
On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. [1] |
||
| Enterprise | T1006 | 直接卷访问 |
Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services. |
|
| Enterprise | T1569 | 系统服务 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. [1] |
|
| .002 | Service Execution |
On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. [1] |
||
| Enterprise | T1216 | .001 | 系统脚本代理执行: PubPrn |
On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.[6] |
| Enterprise | T1055 | 进程注入 |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. [1] |
|
| .001 | Dynamic-link Library Injection |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .002 | Portable Executable Injection |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .003 | Thread Execution Hijacking |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .004 | Asynchronous Procedure Call |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .005 | Thread Local Storage |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .008 | Ptrace System Calls |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .009 | Proc Memory |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .011 | Extra Window Memory Injection |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .012 | Process Hollowing |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .013 | Process Doppelgänging |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .014 | VDSO Hijacking |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| .015 | ListPlanting |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
| Enterprise | T1559 | 进程间通信 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.[7][8] |
|
| .002 | Dynamic Data Exchange |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.[7][8] |
||
| Enterprise | T1091 | 通过可移动媒体复制 |
On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. [1] |
|
References
- Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
- Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022.
- Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.
- Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023.
- Microsoft. (2024, March 4). Attack surface reduction rules reference. Retrieved March 29, 2024.
- Microsoft. (2021, August 23). Retrieved August 16, 2021.
- Brower, N. & D'Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.
- Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.