Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| .008 | Masquerade File Type |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1547 | .006 | 启动或登录自动启动执行: Kernel Modules and Extensions |
Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools. |
| Enterprise | T1059 | 命令与脚本解释器 |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| .001 | PowerShell |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .005 | Visual Basic |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .006 | Python |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1221 | 模板注入 |
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[3] |
|
| Enterprise | T1080 | 污染共享内容 |
Anti-virus can be used to automatically quarantine suspicious files.[4] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [5] |
|
| .002 | Software Packing |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
||
| .009 | Embedded Payloads |
Anti-virus can be used to automatically detect and quarantine suspicious files. |
||
| .010 | Command Obfuscation |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
||
| .012 | LNK Icon Smuggling |
Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
||
| .013 | Encrypted/Encoded File |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
||
| .014 | Polymorphic Code |
Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. |
||
| Enterprise | T1566 | 钓鱼 |
Anti-virus can automatically quarantine suspicious files. |
|
| .001 | Spearphishing Attachment |
Anti-virus can also automatically quarantine suspicious files. |
||
| .003 | Spearphishing via Service |
Anti-virus can also automatically quarantine suspicious files. |
||
| Enterprise | T1564 | 隐藏伪装 |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[6] |
|
| .012 | File/Path Exclusions |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[6] |
||
References
- Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018.
- Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018.
- Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.
- Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
- Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.
- Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.