SI-3: Malicious Code Protection

From NIST's SP800-53:

a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

SP800-53 Control Mapped to NIST Cyber Security Framework

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Control ID	Description
DE.DP-3	Detection processes are tested
DE.CM-4	Malicious code is detected

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against.

ATT&CK ID	Title	Associated Tactics
T1102.002	Bidirectional Communication	Command and Control
T1602.001	SNMP (MIB Dump)	Collection
T1055.012	Process Hollowing	Defense Evasion, Privilege Escalation
T1557.003	DHCP Spoofing	Collection, Credential Access
T1003.002	Security Account Manager	Credential Access
T1176	Browser Extensions	Persistence
T1559	Inter-Process Communication	Execution
T1048.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Exfiltration
T1546.006	LC_LOAD_DYLIB Addition	Persistence, Privilege Escalation
T1539	Steal Web Session Cookie	Credential Access
T1055.002	Portable Executable Injection	Defense Evasion, Privilege Escalation
T1185	Browser Session Hijacking	Collection
T1218.014	MMC	Defense Evasion
T1106	Native API	Execution
T1566.002	Spearphishing Link	Initial Access
T1561	Disk Wipe	Impact
T1003.001	LSASS Memory	Credential Access
T1574.001	DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1008	Fallback Channels	Command and Control
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1102.003	One-Way Communication	Command and Control
T1560.001	Archive via Utility	Collection
T1030	Data Transfer Size Limits	Exfiltration
T1559.002	Dynamic Data Exchange	Execution
T1547.007	Re-opened Applications	Persistence, Privilege Escalation
T1055.005	Thread Local Storage	Defense Evasion, Privilege Escalation
T1090.001	Internal Proxy	Command and Control
T1218.004	InstallUtil	Defense Evasion
T1055.013	Process Doppelgänging	Defense Evasion, Privilege Escalation
T1036.003	Rename System Utilities	Defense Evasion
T1574.007	Path Interception by PATH Environment Variable	Defense Evasion, Persistence, Privilege Escalation
T1072	Software Deployment Tools	Execution, Lateral Movement
T1059	Command and Scripting Interpreter	Execution
T1055.015	ListPlanting	Defense Evasion, Privilege Escalation
T1546.013	PowerShell Profile	Persistence, Privilege Escalation
T1572	Protocol Tunneling	Command and Control
T1055.003	Thread Execution Hijacking	Defense Evasion, Privilege Escalation
T1490	Inhibit System Recovery	Impact
T1561.002	Disk Structure Wipe	Impact
T1070	Indicator Removal	Defense Evasion
T1546.014	Emond	Persistence, Privilege Escalation
T1219	Remote Access Software	Command and Control
T1102	Web Service	Command and Control
T1037	Boot or Logon Initialization Scripts	Persistence, Privilege Escalation
T1137	Office Application Startup	Persistence
T1055	Process Injection	Defense Evasion, Privilege Escalation
T1132.002	Non-Standard Encoding	Command and Control
T1059.008	Network Device CLI	Execution
T1212	Exploitation for Credential Access	Credential Access
T1105	Ingress Tool Transfer	Command and Control
T1543.002	Systemd Service	Persistence, Privilege Escalation
T1570	Lateral Tool Transfer	Lateral Movement
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1560	Archive Collected Data	Collection
T1011.001	Exfiltration Over Bluetooth	Exfiltration
T1055.011	Extra Window Memory Injection	Defense Evasion, Privilege Escalation
T1574.004	Dylib Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1070.002	Clear Linux or Mac System Logs	Defense Evasion
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1548.004	Elevated Execution with Prompt	Defense Evasion, Privilege Escalation
T1104	Multi-Stage Channels	Command and Control
T1574.008	Path Interception by Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1562	Impair Defenses	Defense Evasion
T1047	Windows Management Instrumentation	Execution
T1036	Masquerading	Defense Evasion
T1055.004	Asynchronous Procedure Call	Defense Evasion, Privilege Escalation
T1189	Drive-by Compromise	Initial Access
T1070.009	Clear Persistence	Defense Evasion
T1070.001	Clear Windows Event Logs	Defense Evasion
T1037.003	Network Logon Script	Persistence, Privilege Escalation
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	Collection, Credential Access
T1091	Replication Through Removable Media	Initial Access, Lateral Movement
T1090	Proxy	Command and Control
T1218.012	Verclsid	Defense Evasion
T1546.004	Unix Shell Configuration Modification	Persistence, Privilege Escalation
T1001.003	Protocol Impersonation	Command and Control
T1566.003	Spearphishing via Service	Initial Access
T1598	Phishing for Information	Reconnaissance
T1070.007	Clear Network Connection History and Configurations	Defense Evasion
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1546.016	Installer Packages	Persistence, Privilege Escalation
T1568.002	Domain Generation Algorithms	Command and Control
T1559.001	Component Object Model	Execution
T1027.007	Dynamic API Resolution	Defense Evasion
T1132.001	Standard Encoding	Command and Control
T1218.009	Regsvcs/Regasm	Defense Evasion
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1218.001	Compiled HTML File	Defense Evasion
T1564.004	NTFS File Attributes	Defense Evasion
T1021.003	Distributed Component Object Model	Lateral Movement
T1001.002	Steganography	Command and Control
T1003.003	NTDS	Credential Access
T1098.004	SSH Authorized Keys	Persistence, Privilege Escalation
T1491.002	External Defacement	Impact
T1218.003	CMSTP	Defense Evasion
T1204.002	Malicious File	Execution
T1059.001	PowerShell	Execution
T1218	System Binary Proxy Execution	Defense Evasion
T1190	Exploit Public-Facing Application	Initial Access
T1568	Dynamic Resolution	Command and Control
T1027.002	Software Packing	Defense Evasion
T1561.001	Disk Content Wipe	Impact
T1059.003	Windows Command Shell	Execution
T1211	Exploitation for Defense Evasion	Defense Evasion
T1566.001	Spearphishing Attachment	Initial Access
T1218.005	Mshta	Defense Evasion
T1562.006	Indicator Blocking	Defense Evasion
T1201	Password Policy Discovery	Discovery
T1001	Data Obfuscation	Command and Control
T1111	Multi-Factor Authentication Interception	Credential Access
T1090.002	External Proxy	Command and Control
T1558	Steal or Forge Kerberos Tickets	Credential Access
T1525	Implant Internal Image	Persistence
T1070.008	Clear Mailbox Data	Defense Evasion
T1622	Debugger Evasion	Defense Evasion, Discovery
T1070.003	Clear Command History	Defense Evasion
T1041	Exfiltration Over C2 Channel	Exfiltration
T1547.008	LSASS Driver	Persistence, Privilege Escalation
T1021.005	VNC	Lateral Movement
T1218.008	Odbcconf	Defense Evasion
T1005	Data from Local System	Collection
T1557.002	ARP Cache Poisoning	Collection, Credential Access
T1204.001	Malicious Link	Execution
T1574.013	KernelCallbackTable	Defense Evasion, Persistence, Privilege Escalation
T1210	Exploitation of Remote Services	Lateral Movement
T1027.009	Embedded Payloads	Defense Evasion
T1071.002	File Transfer Protocols	Command and Control
T1203	Exploitation for Client Execution	Execution
T1505.004	IIS Components	Persistence
T1218.002	Control Panel	Defense Evasion
T1221	Template Injection	Defense Evasion
T1569.002	Service Execution	Execution
T1546.002	Screensaver	Persistence, Privilege Escalation
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Exfiltration
T1574.009	Path Interception by Unquoted Path	Defense Evasion, Persistence, Privilege Escalation
T1003	OS Credential Dumping	Credential Access
T1071.003	Mail Protocols	Command and Control
T1569	System Services	Execution
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1204.003	Malicious Image	Execution
T1003.008	/etc/passwd and /etc/shadow	Credential Access
T1573.001	Symmetric Cryptography	Command and Control
T1567	Exfiltration Over Web Service	Exfiltration
T1547.006	Kernel Modules and Extensions	Persistence, Privilege Escalation
T1055.009	Proc Memory	Defense Evasion, Privilege Escalation
T1003.007	Proc Filesystem	Credential Access
T1046	Network Service Discovery	Discovery
T1558.002	Silver Ticket	Credential Access
T1071	Application Layer Protocol	Command and Control
T1486	Data Encrypted for Impact	Impact
T1218.013	Mavinject	Defense Evasion
T1564.009	Resource Forking	Defense Evasion
T1573.002	Asymmetric Cryptography	Command and Control
T1055.014	VDSO Hijacking	Defense Evasion, Privilege Escalation
T1003.006	DCSync	Credential Access
T1553.003	SIP and Trust Provider Hijacking	Defense Evasion
T1055.008	Ptrace System Calls	Defense Evasion, Privilege Escalation
T1557	Adversary-in-the-Middle	Collection, Credential Access
T1071.001	Web Protocols	Command and Control
T1491	Defacement	Impact
T1071.004	DNS	Command and Control
T1037.004	RC Scripts	Persistence, Privilege Escalation
T1564.008	Email Hiding Rules	Defense Evasion
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1602.002	Network Device Configuration Dump	Collection
T1573	Encrypted Channel	Command and Control
T1003.005	Cached Domain Credentials	Credential Access
T1571	Non-Standard Port	Command and Control
T1598.001	Spearphishing Service	Reconnaissance
T1102.001	Dead Drop Resolver	Command and Control
T1037.002	Login Hook	Persistence, Privilege Escalation
T1562.002	Disable Windows Event Logging	Defense Evasion
T1059.004	Unix Shell	Execution
T1001.001	Junk Data	Command and Control
T1059.006	Python	Execution
T1137.001	Office Template Macros	Persistence
T1059.002	AppleScript	Execution
T1027.008	Stripped Payloads	Defense Evasion
T1029	Scheduled Transfer	Exfiltration
T1080	Taint Shared Content	Lateral Movement
T1598.002	Spearphishing Attachment	Reconnaissance
T1059.005	Visual Basic	Execution
T1092	Communication Through Removable Media	Command and Control
T1056.002	GUI Input Capture	Collection, Credential Access
T1491.001	Internal Defacement	Impact
T1566	Phishing	Initial Access
T1052.001	Exfiltration over USB	Exfiltration
T1547.002	Authentication Package	Persistence, Privilege Escalation
T1052	Exfiltration Over Physical Medium	Exfiltration
T1204	User Execution	Execution
T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration
T1095	Non-Application Layer Protocol	Command and Control
T1485	Data Destruction	Impact
T1558.004	AS-REP Roasting	Credential Access
T1059.007	JavaScript	Execution
T1562.001	Disable or Modify Tools	Defense Evasion
T1602	Data from Configuration Repository	Collection
T1025	Data from Removable Media	Collection
T1598.003	Spearphishing Link	Reconnaissance
T1611	Escape to Host	Privilege Escalation
T1027	Obfuscated Files or Information	Defense Evasion
T1055.001	Dynamic-link Library Injection	Defense Evasion, Privilege Escalation
T1558.003	Kerberoasting	Credential Access
T1037.005	Startup Items	Persistence, Privilege Escalation
T1003.004	LSA Secrets	Credential Access
T1132	Data Encoding	Command and Control
T1547.013	XDG Autostart Entries	Persistence, Privilege Escalation
T1546.003	Windows Management Instrumentation Event Subscription	Persistence, Privilege Escalation
T1547.005	Security Support Provider	Persistence, Privilege Escalation