Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools. |
| Enterprise | T1059 | Command and Scripting Interpreter |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| .001 | PowerShell |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .005 | Visual Basic |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .006 | Python |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1027 | Obfuscated Files or Information |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. [3] |
|
| .002 | Software Packing |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
||
| Enterprise | T1566 | Phishing |
Anti-virus can automatically quarantine suspicious files. |
|
| .001 | Spearphishing Attachment |
Anti-virus can also automatically quarantine suspicious files. |
||
| .003 | Spearphishing via Service |
Anti-virus can also automatically quarantine suspicious files. |
||
| Enterprise | T1221 | Template Injection |
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[4] |
|