Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Контрмера Behavior Prevention on Endpoint
Риски
Каталоги
MITRE ATT&CK
Контрмеры
Behavior Prevention on Endpoin...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
ID: M1040
Version: 1.1
Created: 11 Jun 2019
Last Modified: 10 Dec 2024

Techniques Addressed by Mitigation
Domain ID Name Use
Enterprise T1559 Inter-Process Communication

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.(Citation: Microsoft ASR Nov 2017)(Citation: Enigma Reviving DDE Jan 2018)

T1559.002 Dynamic Data Exchange

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.(Citation: Microsoft ASR Nov 2017)(Citation: Enigma Reviving DDE Jan 2018)

Enterprise T1486 Data Encrypted for Impact

On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware.(Citation: win10_asr) In AWS environments, create an IAM policy to restrict or block the use of SSE-C on S3 buckets.(Citation: Halcyon AWS Ransomware 2025)

Enterprise T1543 Create or Modify System Process

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.(Citation: Malicious Driver Reporting Center) On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.(Citation: Microsoft driver block rules)

T1543.003 Windows Service

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.(Citation: Malicious Driver Reporting Center) On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.(Citation: Microsoft driver block rules)

Enterprise T1047 Windows Management Instrumentation

On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. (Citation: win10_asr)

Enterprise T1204 User Execution

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. (Citation: win10_asr)

T1204.002 Malicious File

On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. (Citation: win10_asr)

Enterprise T1137 Office Application Startup

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)

T1137.001 Office Template Macros

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)

T1137.002 Office Test

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)

T1137.003 Outlook Forms

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)

T1137.004 Outlook Home Page

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)

T1137.005 Outlook Rules

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)

T1137.006 Add-ins

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)

Enterprise T1091 Replication Through Removable Media

On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. (Citation: win10_asr)

Enterprise T1003 OS Credential Dumping

On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. (Citation: win10_asr)

T1003.001 LSASS Memory

On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. (Citation: win10_asr)

Enterprise T1106 Native API

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. (Citation: win10_asr)

Enterprise T1055 Process Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. (Citation: win10_asr)

T1055.001 Dynamic-link Library Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.002 Portable Executable Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.003 Thread Execution Hijacking

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.004 Asynchronous Procedure Call

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.005 Thread Local Storage

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.008 Ptrace System Calls

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.009 Proc Memory

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.011 Extra Window Memory Injection

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.012 Process Hollowing

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.013 Process Doppelgänging

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.014 VDSO Hijacking

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

T1055.015 ListPlanting

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

Enterprise T1569 System Services

On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. (Citation: win10_asr)

T1569.002 Service Execution

On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. (Citation: win10_asr)

Enterprise T1027 Obfuscated Files or Information

On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. (Citation: win10_asr)

T1027.009 Embedded Payloads

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.(Citation: win10_asr)

T1027.010 Command Obfuscation

On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Microsoft ASR Obfuscation)

T1027.012 LNK Icon Smuggling

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads.

T1027.013 Encrypted/Encoded File

On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Obfuscated scripts) Security tools should be configured to analyze the encoding properties of files and detect anomalies that deviate from standard encoding practices.

T1027.014 Polymorphic Code

On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads

Enterprise T1059 Command and Scripting Interpreter

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content (Citation: win10_asr).

T1059.005 Visual Basic

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content (Citation: win10_asr).

T1059.007 JavaScript

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content (Citation: win10_asr).

Enterprise T1574 Hijack Execution Flow

Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).

T1574.013 KernelCallbackTable

Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).

Enterprise T1036 Masquerading

Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).

T1036.008 Masquerade File Type

Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures.

Enterprise T1006 Direct Volume Access

Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.

Enterprise T1216 T1216.001 System Script Proxy Execution: PubPrn

On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.(Citation: Microsoft_rec_block_rules)
Enterprise T1546 T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.(Citation: win10_asr)
Enterprise T1564 T1564.014 Hide Artifacts: Extended Attributes

During artifact review, packaging, or deployment stages, scan extended attributes alongside file contents to detect hidden payloads, obfuscated data, or suspicious attribute keys that may indicate malicious behavior.

References

  1. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  2. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  3. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  4. Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.
  5. Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022.
  6. Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022.
  7. Brower, N. & D'Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.
  8. Brower, N. & D'Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.
  9. Brower, N. & D'Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.
  10. Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023.
  11. Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.
  12. Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.
  13. Microsoft. (2021, August 23). Retrieved August 16, 2021.
  14. Microsoft. (2024, March 4). Attack surface reduction rules reference. Retrieved March 29, 2024.
  15. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  16. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  17. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  18. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  19. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  20. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  21. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  22. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  23. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  24. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  25. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  26. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  27. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  28. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  29. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  30. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  31. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  32. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  33. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  34. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  35. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  36. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  37. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  38. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.