Skip to content

Hide Navigation Hide TOC

Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46)

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.

Exploit Prevention:

  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
Cluster A Galaxy A Cluster B Galaxy B Level
KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 1
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 1
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern 1
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) Course of Action Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 2
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2