{"description": "Enterprise techniques mitigated by Behavior Prevention on Endpoint, ATT&CK mitigation M1040 (v1.1)", "name": "Behavior Prevention on Endpoint (M1040)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent [Visual Basic](https://attack.mitre.org/techniques/T1059/005) and [JavaScript](https://attack.mitre.org/techniques/T1059/007) scripts from executing potentially malicious downloaded content (Citation: win10_asr).", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent [Visual Basic](https://attack.mitre.org/techniques/T1059/005) scripts from executing potentially malicious downloaded content (Citation: win10_asr).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent [JavaScript](https://attack.mitre.org/techniques/T1059/007) scripts from executing potentially malicious downloaded content (Citation: win10_asr).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.(Citation: Malicious Driver Reporting Center) On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.(Citation: Microsoft driver block rules)  ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.(Citation: Malicious Driver Reporting Center) On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.(Citation: Microsoft driver block rules)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware.(Citation: win10_asr) In AWS environments, create an IAM policy to restrict or block the use of SSE-C on S3 buckets.(Citation: Halcyon AWS Ransomware 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1006", "comment": "Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.(Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.014", "comment": "During artifact review, packaging, or deployment stages, scan extended attributes alongside file contents to detect hidden payloads, obfuscated data, or suspicious attribute keys that may indicate malicious behavior.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "comment": "Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.013", "comment": "Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.(Citation: Microsoft ASR Nov 2017)(Citation: Enigma Reviving DDE Jan 2018)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.(Citation: Microsoft ASR Nov 2017)(Citation: Enigma Reviving DDE Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. (Citation: win10_asr)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.(Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Microsoft ASR Obfuscation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.012", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Obfuscated scripts)\n\nSecurity tools should be configured to analyze the encoding properties of files and detect anomalies that deviate from standard encoding practices.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.014", "comment": "On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1137.001", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.002", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.003", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.004", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.005", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.006", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. (Citation: win10_asr)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.003", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.005", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.008", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.009", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.011", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.013", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.014", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.015", "comment": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1216", "showSubtechniques": true}, {"techniqueID": "T1216.001", "comment": "On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.(Citation: Microsoft_rec_block_rules)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by [PsExec](https://attack.mitre.org/software/S0029) from running. (Citation: win10_asr)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by [PsExec](https://attack.mitre.org/software/S0029) from running. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. (Citation: win10_asr)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Behavior Prevention on Endpoint", "color": "#66b1ff"}]}