Skip to content

Hide Navigation Hide TOC

Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46)

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.

Exploit Prevention:

  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
Cluster A Galaxy A Cluster B Galaxy B Level
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 2
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 2
KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2