Description
The information system implements malicious code protection.
Supplemental Guidance
The organization employs malicious code protection mechanisms at critical information system entry and exit points (e.g., firewalls, electronic mail servers, web servers, proxy servers, remote-access servers) and at workstations, servers, or mobile computing devices on the network. The organization uses the malicious code protection mechanisms to detect and eradicate malicious code (e.g., viruses, worms, Trojan horses, spyware) transported: (i) by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g., USB devices, diskettes or compact disks), or other common means; or (ii) by exploiting information system vulnerabilities. The organization updates malicious code protection mechanisms (including the latest virus definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures. The organization considers using malicious code protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations). The organization also considers the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. NIST Special Publication 800-83 provides guidance on implementing malicious code protection.
Changes from Rev 4
Parameter adds '[Selection (one or more): signature based; non-signature based]'; another parameter adds requirement to send an alert to specified personnel Parameter selection eliminates option to send an alert to specified personnel and adds option to take specified action Discussion expanded to explain signature- and non-signature-based technologies Incorporates withdrawn controls SI-03(2) and SI-03(7)
MITRE ATT&CK Techniques (226)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Reconnaissance 4 Initial Access 8 Execution 25 Persistence 36 Privilege Escalation 48 Defense Evasion 71 Credential Access 21 Discovery 3 Lateral Movement 7 Collection 13 Command & Control 32 Exfiltration 11 Impact 9
Show all 226 techniques grouped by tactic
Reconnaissance
Initial Access
Execution
T1047 Windows Management Instrumentation T1059 Command and Scripting Interpreter T1072 Software Deployment Tools T1106 Native API T1129 Shared Modules T1203 Exploitation for Client Execution T1204 User Execution T1559 Inter-Process Communication T1569 System Services T1059.001 PowerShell T1059.002 AppleScript T1059.003 Windows Command Shell T1059.004 Unix Shell T1059.005 Visual Basic T1059.006 Python T1059.007 JavaScript T1059.008 Network Device CLI T1059.010 AutoHotKey & AutoIT T1059.011 Lua T1204.001 Malicious Link T1204.002 Malicious File T1204.003 Malicious Image T1559.001 Component Object Model T1559.002 Dynamic Data Exchange T1569.002 Service Execution
Persistence
T1037 Boot or Logon Initialization Scripts T1137 Office Application Startup T1176 Browser Extensions T1525 Implant Internal Image T1543 Create or Modify System Process T1554 Compromise Host Software Binary T1574 Hijack Execution Flow T1037.002 Login Hook T1037.003 Network Logon Script T1037.004 RC Scripts T1037.005 Startup Items T1098.004 SSH Authorized Keys T1137.001 Office Template Macros T1505.004 IIS Components T1543.002 Systemd Service T1546.002 Screensaver T1546.003 Windows Management Instrumentation Event Subscription T1546.004 Unix Shell Configuration Modification T1546.006 LC_LOAD_DYLIB Addition T1546.013 PowerShell Profile T1546.014 Emond T1546.016 Installer Packages T1547.002 Authentication Package T1547.005 Security Support Provider T1547.006 Kernel Modules and Extensions T1547.007 Re-opened Applications T1547.008 LSASS Driver T1547.009 Shortcut Modification T1547.013 XDG Autostart Entries T1574.001 DLL Search Order Hijacking T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.013 KernelCallbackTable T1574.014 AppDomainManager
Privilege Escalation
T1037 Boot or Logon Initialization Scripts T1055 Process Injection T1068 Exploitation for Privilege Escalation T1543 Create or Modify System Process T1548 Abuse Elevation Control Mechanism T1574 Hijack Execution Flow T1611 Escape to Host T1037.002 Login Hook T1037.003 Network Logon Script T1037.004 RC Scripts T1037.005 Startup Items T1055.001 Dynamic-link Library Injection T1055.002 Portable Executable Injection T1055.003 Thread Execution Hijacking T1055.004 Asynchronous Procedure Call T1055.005 Thread Local Storage T1055.008 Ptrace System Calls T1055.009 Proc Memory T1055.011 Extra Window Memory Injection T1055.012 Process Hollowing T1055.013 Process Doppelgänging T1055.014 VDSO Hijacking T1055.015 ListPlanting T1098.004 SSH Authorized Keys T1543.002 Systemd Service T1546.002 Screensaver T1546.003 Windows Management Instrumentation Event Subscription T1546.004 Unix Shell Configuration Modification T1546.006 LC_LOAD_DYLIB Addition T1546.013 PowerShell Profile T1546.014 Emond T1546.016 Installer Packages T1547.002 Authentication Package T1547.005 Security Support Provider T1547.006 Kernel Modules and Extensions T1547.007 Re-opened Applications T1547.008 LSASS Driver T1547.009 Shortcut Modification T1547.013 XDG Autostart Entries T1548.004 Elevated Execution with Prompt T1548.006 TCC Manipulation T1574.001 DLL Search Order Hijacking T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.013 KernelCallbackTable T1574.014 AppDomainManager
Defense Evasion
T1027 Obfuscated Files or Information T1036 Masquerading T1055 Process Injection T1070 Indicator Removal T1211 Exploitation for Defense Evasion T1218 System Binary Proxy Execution T1221 Template Injection T1548 Abuse Elevation Control Mechanism T1562 Impair Defenses T1574 Hijack Execution Flow T1622 Debugger Evasion T1027.002 Software Packing T1027.007 Dynamic API Resolution T1027.008 Stripped Payloads T1027.009 Embedded Payloads T1027.010 Command Obfuscation T1027.012 LNK Icon Smuggling T1027.013 Encrypted/Encoded File T1027.014 Polymorphic Code T1036.003 Rename System Utilities T1036.005 Match Legitimate Name or Location T1036.008 Masquerade File Type T1055.001 Dynamic-link Library Injection T1055.002 Portable Executable Injection T1055.003 Thread Execution Hijacking T1055.004 Asynchronous Procedure Call T1055.005 Thread Local Storage T1055.008 Ptrace System Calls T1055.009 Proc Memory T1055.011 Extra Window Memory Injection T1055.012 Process Hollowing T1055.013 Process Doppelgänging T1055.014 VDSO Hijacking T1055.015 ListPlanting T1070.001 Clear Windows Event Logs T1070.002 Clear Linux or Mac System Logs T1070.003 Clear Command History T1070.007 Clear Network Connection History and Configurations T1070.008 Clear Mailbox Data T1070.009 Clear Persistence T1070.010 Relocate Malware T1218.001 Compiled HTML File T1218.002 Control Panel T1218.003 CMSTP T1218.004 InstallUtil T1218.005 Mshta T1218.008 Odbcconf T1218.009 Regsvcs/Regasm T1218.012 Verclsid T1218.013 Mavinject T1218.014 MMC T1218.015 Electron Applications T1548.004 Elevated Execution with Prompt T1548.006 TCC Manipulation T1553.003 SIP and Trust Provider Hijacking T1562.001 Disable or Modify Tools T1562.002 Disable Windows Event Logging T1562.004 Disable or Modify System Firewall T1562.006 Indicator Blocking T1562.011 Spoof Security Alerting T1564.004 NTFS File Attributes T1564.008 Email Hiding Rules T1564.009 Resource Forking T1564.012 File/Path Exclusions T1574.001 DLL Search Order Hijacking T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.013 KernelCallbackTable T1574.014 AppDomainManager
Credential Access
T1003 OS Credential Dumping T1111 Multi-Factor Authentication Interception T1212 Exploitation for Credential Access T1539 Steal Web Session Cookie T1557 Adversary-in-the-Middle T1558 Steal or Forge Kerberos Tickets T1003.001 LSASS Memory T1003.002 Security Account Manager T1003.003 NTDS T1003.004 LSA Secrets T1003.005 Cached Domain Credentials T1003.006 DCSync T1003.007 Proc Filesystem T1003.008 /etc/passwd and /etc/shadow T1056.002 GUI Input Capture T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1558.002 Silver Ticket T1558.003 Kerberoasting T1558.004 AS-REP Roasting
Lateral Movement
Collection
T1005 Data from Local System T1025 Data from Removable Media T1185 Browser Session Hijacking T1557 Adversary-in-the-Middle T1560 Archive Collected Data T1602 Data from Configuration Repository T1056.002 GUI Input Capture T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1560.001 Archive via Utility T1602.001 SNMP (MIB Dump) T1602.002 Network Device Configuration Dump
Command & Control
T1001 Data Obfuscation T1008 Fallback Channels T1071 Application Layer Protocol T1090 Proxy T1092 Communication Through Removable Media T1095 Non-Application Layer Protocol T1102 Web Service T1104 Multi-Stage Channels T1105 Ingress Tool Transfer T1132 Data Encoding T1219 Remote Access Software T1568 Dynamic Resolution T1571 Non-Standard Port T1572 Protocol Tunneling T1573 Encrypted Channel T1001.001 Junk Data T1001.002 Steganography T1001.003 Protocol or Service Impersonation T1071.001 Web Protocols T1071.002 File Transfer Protocols T1071.003 Mail Protocols T1071.004 DNS T1090.001 Internal Proxy T1090.002 External Proxy T1102.001 Dead Drop Resolver T1102.002 Bidirectional Communication T1102.003 One-Way Communication T1132.001 Standard Encoding T1132.002 Non-Standard Encoding T1568.002 Domain Generation Algorithms T1573.001 Symmetric Cryptography T1573.002 Asymmetric Cryptography
Exfiltration
T1029 Scheduled Transfer T1030 Data Transfer Size Limits T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol T1052 Exfiltration Over Physical Medium T1567 Exfiltration Over Web Service T1011.001 Exfiltration Over Bluetooth T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol T1052.001 Exfiltration over USB
Compliance Mappings
ISO 27001:2022
A.8.23A.8.7
ISO 27002:2022
8.238.7
COBIT 2019
DSS05
CIS Controls v8
CIS 10CIS 10.1CIS 10.2CIS 10.4CIS 10.6CIS 10.7CIS 9CIS 9.3CIS 9.6CIS 9.7
NIST CSF 2.0
RS.MI-02
SOC 2 TSC
CC6.6CC6.6-POF2CC6.8CC9.2-POF13
PCI DSS v4.0.1
5.15.25.36.4
CSA CCM v4
TVM-02TVM-04UEM-09
CSA AICM v1
TVM-02TVM-04UEM-09
MAS TRM
11
APRA CPS 234
Para 22-23
ASD Essential Eight
E8-3E8-3 ML2
BSI IT-Grundschutz
APP.1.1OPS.1.1.4
ANSSI
Hygiene.21SecNumCloud.13.1
FINMA Circular 2023/1
IV.B.d(59)IV.C(64)IV.C(65)
OSFI B-13
B-13.3.2B-13.3.3
EU GDPR
Art.32(1)(b)
EU DORA
Art.9(4)(b)
BIO2
8.238.7
RBI CSF
Annex1.13
FISC Security Guidelines
FISC.T14FISC.T7
LGPD + BCB 4893
BCB.Art.3LGPD.Art.46
HKMA TM-E-1
TME1.10.1TME1.7.3
MLPS 2.0
8.1.10.58.1.3.38.1.3.48.1.4.5
DNB Good Practice
DNB.19.1
EU CRA
CRA.I.2i
SWIFT CSCF
SWIFT.6.1
SAMA CSF
3.3
NCA ECC
2-32-4
UAE IA
T7
CBB TM
TM-8
Qatar NIA
OS
CBUAE
CR-7
CBE CSF
CTO-7CTO-8
SA JS2
JS2-7.2JS2-8.4
CBN CSF
Part3.3
BoG CISD
CISD-VI
POPIA
s19
IOSCO Cyber Resilience
DET-3
CPMI-IOSCO PFMI
CG.DECG.PR
FFIEC IS
II.C.12
NYDFS 500
500.14
HIPAA Security Rule
§164.308(a)(5)(ii)(B)
ECB CROE
CROE.2.3.4CROE.2.4
EBA ICT Guidelines
3.4.4
SEBI CSCRF
DE.DPPR.ES
BOT Cyber Resilience
Ch2.6Ch8.2
CMMC 2.0
SI
NERC CIP
CIP-007-6
10 CFR 73.54
RG5.71-A-SI
API 1164
Sec 7
IAEA NSS 17-T
Sec 5.4
FIPS 140-3
FIPS 140-3 §7.6
ISAE 3402
Clause 4
Lloyd's Minimum Standards
MS8.10
NAIC Insurance Data Security
4-monitoring4B
HITRUST CSF v11
09.c
FDA Cybersecurity Guidance
PU-3
ISO 27799
12.2
NHS DSPT
NDG-9.3NDG-9.4
CCSS v9.0
1.01.31.05.4
Basel SCO60
SCO60.51SCO60.64SCO60.65
ISO 17799 (legacy)
10.4.1
COBIT 4.1 (legacy)
DS5.9