Antivirus/Antimalware
Techniques Addressed by Mitigation |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Common tools for detecting Linux rootkits include: rkhunter (Citation: SourceForge rkhunter), chrootkit (Citation: Chkrootkit Main), although rootkits may be designed to evade certain detection tools. |
| Enterprise | T1059 | Command and Scripting Interpreter |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| T1059.001 | PowerShell |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| T1059.005 | Visual Basic |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| T1059.006 | Python |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1564 | Hide Artifacts |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.(Citation: Microsoft File Folder Exclusions) |
|
| T1564.012 | File/Path Exclusions |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.(Citation: Microsoft File Folder Exclusions) |
||
| Enterprise | T1036 | Masquerading |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| T1036.008 | Masquerade File Type |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1027 | Obfuscated Files or Information |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. (Citation: Microsoft AMSI June 2015) |
|
| T1027.002 | Software Packing |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
||
| T1027.009 | Embedded Payloads |
Anti-virus can be used to automatically detect and quarantine suspicious files. |
||
| T1027.010 | Command Obfuscation |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
||
| T1027.012 | LNK Icon Smuggling |
Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
||
| T1027.013 | Encrypted/Encoded File |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
||
| T1027.014 | Polymorphic Code |
Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. |
||
| Enterprise | T1566 | Phishing |
Anti-virus can automatically quarantine suspicious files. |
|
| T1566.001 | Spearphishing Attachment |
Anti-virus can also automatically quarantine suspicious files. |
||
| T1566.003 | Spearphishing via Service |
Anti-virus can also automatically quarantine suspicious files. |
||
| Enterprise | T1080 | Taint Shared Content |
Anti-virus can be used to automatically quarantine suspicious files.(Citation: Mandiant Cloudy Logs 2023) |
|
| Enterprise | T1221 | Template Injection |
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.(Citation: Anomali Template Injection MAR 2018) |
|
References
- Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.
- Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.
- Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018.
- Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018.
- Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
- Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.