Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

ID: M1049
Version: 1.1
Created: 11 June 2019
Last Modified: 31 March 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools.

Enterprise T1059 Command and Scripting Interpreter

Anti-virus can be used to automatically quarantine suspicious files.

.001 PowerShell

Anti-virus can be used to automatically quarantine suspicious files.

.005 Visual Basic

Anti-virus can be used to automatically quarantine suspicious files.

.006 Python

Anti-virus can be used to automatically quarantine suspicious files.

Enterprise T1027 Obfuscated Files or Information

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. [3]

.002 Software Packing

Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.

Enterprise T1566 Phishing

Anti-virus can automatically quarantine suspicious files.

.001 Spearphishing Attachment

Anti-virus can also automatically quarantine suspicious files.

.003 Spearphishing via Service

Anti-virus can also automatically quarantine suspicious files.

Enterprise T1221 Template Injection

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[4]

References