M1040: Behavior Prevention on Endpoint
Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:
Suspicious Process Behavior:
- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access:
- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls:
- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.
Exploit Prevention:
- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
Analyst context for executives and security teams
Behavior Prevention on Endpoint is important because it shifts endpoint defense from “known bad file” matching to blocking suspicious actions as they happen, such as abnormal process launches, unauthorized sensitive file access, risky API use, process injection, and exploit-like memory behavior. For leaders, the decision value is whether endpoint controls can interrupt credential theft, stealth, execution, and privilege-escalation behaviors before they become lateral movement or broader incident response problems.
Executive priority
Treat this mitigation as a resilience and control-validation priority, not just a tool feature. The ATT&CK relationships show relevance to OS credential dumping, LSASS memory access, direct volume access, obfuscation, masquerading, WMI abuse, and many process injection variants. Executives should ask whether endpoint prevention policies are actually enabled, monitored, and tested against these behavior classes, especially where credential access or stealthy execution would materially affect business continuity, audit evidence, or incident containment timelines.
Technical view
SOC, detection engineering, and IR teams should validate endpoint behavior-prevention coverage around the behaviors named in the official description: suspicious parent-child process relationships, privilege-escalation attempts, unauthorized reads or modifications of sensitive files, abnormal API usage such as OpenProcess and WriteProcessMemory, process injection, and exploit-like memory writes. Relationship context makes credential dumping and process injection especially important validation areas. Because the mitigation object has no platform field and no official detection text, teams should map coverage locally to the platforms represented by related techniques, including Windows, Linux, macOS, ESXi, containers, network devices, and other listed environments where applicable.
Likely telemetry
- Endpoint process creation and parent-child process relationship events
- Endpoint prevention or EDR block/alert events
- File access events for sensitive operating system credential or restricted locations, such as Windows SAM-related access or Linux /etc/shadow access where collected
- API call or runtime behavior telemetry related to process access, memory writes, and injection patterns
- Memory protection, exploit prevention, or abnormal memory operation events
Detection direction
- Confirm that behavior-prevention policies are in prevention or blocking mode where risk justifies it, not only passive alerting.
- Test whether endpoint controls detect and block abnormal process relationships, privilege-escalation behavior, process injection, and unauthorized sensitive file access without relying only on static signatures.
- Prioritize validation against related ATT&CK areas: OS Credential Dumping, LSASS Memory, Direct Volume Access, Obfuscated Files or Information, Masquerading, WMI, and Process Injection sub-techniques.
- Tune exceptions carefully for legitimate administration, debugging, security tooling, software deployment, and monitoring activity, since these may resemble API access, process manipulation, or sensitive file access.
- Identify blind spots where endpoint telemetry is unavailable, unsupported, or not forwarded to the SOC, especially on non-Windows platforms and infrastructure types listed in related techniques.
Mitigation priorities
- Start with high-risk credential and privilege behaviors: block suspicious access to credential stores, LSASS-like memory access where applicable, and abnormal privilege-escalation process chains.
- Enable behavioral exploit prevention and runtime monitoring features where available, with staged rollout and exception governance to manage operational disruption.
- Extend validation beyond malware signatures to include process behavior, file access behavior, API behavior, memory behavior, command obfuscation, and masquerading indicators.
- Document prevention settings, test results, exceptions, and response procedures as compliance and incident readiness evidence.
- Review coverage after endpoint platform changes, EDR policy updates, or newly prioritized ATT&CK techniques, because this mitigation depends heavily on local sensor capability and configuration.
Analyst notes and limits
This is a broad endpoint mitigation, not a specific detection analytic. Its strongest value is in reducing dependence on known signatures and adding behavioral blocking for techniques that often support credential theft, stealth, execution, and privilege escalation. The relationship set is useful for prioritizing validation: credential dumping and process injection families should be prominent in control testing and tabletop discussions.
The official object does not specify platforms, tactics, or detection guidance. Platform references come only from related techniques, so local applicability must be confirmed against the organization’s endpoint estate and tooling. The source does not prove any specific product capability, detection coverage, adversary use, or active exploitation.
Behavior Prevention on Endpoint
Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:
Suspicious Process Behavior:
- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access:
- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls:
- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.
Exploit Prevention:
- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures. |
| Enterprise | T1543.003 | Windows Service Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.CitationMalicious Driver Reporting Center On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.CitationMicrosoft driver block rules |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1027.014 | Polymorphic Code Sub-technique | On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads |
| Enterprise | T1137.006 | Add-ins Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. Citationwin10_asr |
| Enterprise | T1055.009 | Proc Memory Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.CitationMicrosoft ASR Obfuscation |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1047 | Windows Management Instrumentation | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. Citationwin10_asr |
| Enterprise | T1059.007 | JavaScript Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content Citationwin10_asr. |
| Enterprise | T1204 | User Execution | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. Citationwin10_asr |
| Enterprise | T1543 | Create or Modify System Process | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.CitationMalicious Driver Reporting Center On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.CitationMicrosoft driver block rules |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.CitationMicrosoft ASR Nov 2017CitationEnigma Reviving DDE Jan 2018 |
| Enterprise | T1574 | Hijack Execution Flow | Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
| Enterprise | T1569.002 | Service Execution Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. Citationwin10_asr |
| Enterprise | T1055.014 | VDSO Hijacking Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1055.013 | Process Doppelgänging Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1216.001 | PubPrn Sub-technique | On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.CitationMicrosoft_rec_block_rules |
| Enterprise | T1036 | Masquerading | Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures). |
| Enterprise | T1055.003 | Thread Execution Hijacking Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1137.004 | Outlook Home Page Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. Citationwin10_asr |
| Enterprise | T1137 | Office Application Startup | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. Citationwin10_asr |
| Enterprise | T1091 | Replication Through Removable Media | On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. Citationwin10_asr |
| Enterprise | T1003 | OS Credential Dumping | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. Citationwin10_asr |
| Enterprise | T1137.001 | Office Template Macros Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. Citationwin10_asr |
| Enterprise | T1137.002 | Office Test Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. Citationwin10_asr |
| Enterprise | T1574.013 | KernelCallbackTable Sub-technique | Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions). |
| Enterprise | T1059.005 | Visual Basic Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content Citationwin10_asr. |
| Enterprise | T1055.011 | Extra Window Memory Injection Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1564.014 | Extended Attributes Sub-technique | During artifact review, packaging, or deployment stages, scan extended attributes alongside file contents to detect hidden payloads, obfuscated data, or suspicious attribute keys that may indicate malicious behavior. |
| Enterprise | T1027.012 | LNK Icon Smuggling Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads. |
| Enterprise | T1486 | Data Encrypted for Impact | On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware.Citationwin10_asr In AWS environments, create an IAM policy to restrict or block the use of SSE-C on S3 buckets.CitationHalcyon AWS Ransomware 2025 |
| Enterprise | T1137.005 | Outlook Rules Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. Citationwin10_asr |
| Enterprise | T1204.002 | Malicious File Sub-technique | On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. Citationwin10_asr |
| Enterprise | T1055.008 | Ptrace System Calls Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1106 | Native API | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. Citationwin10_asr |
| Enterprise | T1055 | Process Injection | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. Citationwin10_asr |
| Enterprise | T1569 | System Services | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. Citationwin10_asr |
| Enterprise | T1006 | Direct Volume Access | Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services. |
| Enterprise | T1559 | Inter-Process Communication | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.CitationMicrosoft ASR Nov 2017CitationEnigma Reviving DDE Jan 2018 |
| Enterprise | T1027 | Obfuscated Files or Information | On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. Citationwin10_asr |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.Citationwin10_asr |
| Enterprise | T1137.003 | Outlook Forms Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. Citationwin10_asr |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.Citationwin10_asr |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. Citationwin10_asr |
| Enterprise | T1059 | Command and Scripting Interpreter | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content Citationwin10_asr. |
| Enterprise | T1055.005 | Thread Local Storage Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.CitationObfuscated scripts Security tools should be configured to analyze the encoding properties of files and detect anomalies that deviate from standard encoding practices. |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| Enterprise | T1055.015 | ListPlanting Sub-technique | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d22d3c6d3233… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.