Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
Techniques Addressed by Mitigation
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1559 | Inter-Process Communication |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.[1][2] |
|
.002 | Dynamic Data Exchange |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.[1][2] |
||
Enterprise | T1055 | Process Injection |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
|
.001 | Dynamic-link Library Injection |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.002 | Portable Executable Injection |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.012 | Process Hollowing |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.003 | Thread Execution Hijacking |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.004 | Asynchronous Procedure Call |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.005 | Thread Local Storage |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.008 | Ptrace System Calls |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.009 | Proc Memory |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.011 | Extra Window Memory Injection |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.013 | Process Doppelgänging |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
||
.014 | VDSO Hijacking |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |