{"description": "Enterprise techniques mitigated by Antivirus/Antimalware, ATT&CK mitigation M1049 (v1.2)", "name": "Antivirus/Antimalware (M1049)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.006", "comment": "Common tools for detecting Linux rootkits include: rkhunter (Citation: SourceForge rkhunter), chrootkit (Citation: Chkrootkit Main), although rootkits may be designed to evade certain detection tools.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "Anti-virus can be used to automatically quarantine suspicious files. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "Anti-virus can be used to automatically quarantine suspicious files. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "Anti-virus can be used to automatically quarantine suspicious files. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "Anti-virus can be used to automatically quarantine suspicious files. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "comment": "Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.(Citation: Microsoft File Folder Exclusions)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1564.012", "comment": "Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.(Citation: Microsoft File Folder Exclusions)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "Anti-virus can be used to automatically quarantine suspicious files.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "Anti-virus can be used to automatically quarantine suspicious files. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. (Citation: Microsoft AMSI June 2015)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "Anti-virus can be used to automatically detect and quarantine suspicious files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.012", "comment": "Use signatures or heuristics to detect malicious LNK and subsequently downloaded files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.014", "comment": "Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.(Citation: ReasonLabs)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "comment": "Anti-virus can automatically quarantine suspicious files.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "Anti-virus can also automatically quarantine suspicious files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.003", "comment": "Anti-virus can also automatically quarantine suspicious files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1080", "comment": "Anti-virus can be used to automatically quarantine suspicious files.(Citation: Mandiant Cloudy Logs 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.(Citation: Anomali Template Injection MAR 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Antivirus/Antimalware", "color": "#66b1ff"}]}