Skip to content

Hide Navigation Hide TOC

Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46)

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Cluster A Galaxy A Cluster B Galaxy B Level
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern 1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern 1
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 2
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 2
Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 2
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern 2