Skip to content

Hide Navigation Hide TOC

Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46)

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.

Exploit Prevention:

  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
Cluster A Galaxy A Cluster B Galaxy B Level
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 1
Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern 1
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern 1
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 1
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern 1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern 2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern 2
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 2
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 2
KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2