NIST 800-53 SI-3 Mappings

System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.

Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.

In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SI-3 Malicious Code Protection Protects T1001 Data Obfuscation
SI-3 Malicious Code Protection Protects T1001.001 Junk Data
SI-3 Malicious Code Protection Protects T1001.002 Steganography
SI-3 Malicious Code Protection Protects T1001.003 Protocol Impersonation
SI-3 Malicious Code Protection Protects T1003 OS Credential Dumping
SI-3 Malicious Code Protection Protects T1003.001 LSASS Memory
SI-3 Malicious Code Protection Protects T1003.002 Security Account Manager
SI-3 Malicious Code Protection Protects T1003.003 NTDS
SI-3 Malicious Code Protection Protects T1003.004 LSA Secrets
SI-3 Malicious Code Protection Protects T1003.005 Cached Domain Credentials
SI-3 Malicious Code Protection Protects T1003.006 DCSync
SI-3 Malicious Code Protection Protects T1003.007 Proc Filesystem
SI-3 Malicious Code Protection Protects T1003.008 /etc/passwd and /etc/shadow
SI-3 Malicious Code Protection Protects T1005 Data from Local System
SI-3 Malicious Code Protection Protects T1008 Fallback Channels
SI-3 Malicious Code Protection Protects T1011.001 Exfiltration Over Bluetooth
SI-3 Malicious Code Protection Protects T1021.003 Distributed Component Object Model
SI-3 Malicious Code Protection Protects T1021.005 VNC
SI-3 Malicious Code Protection Protects T1025 Data from Removable Media
SI-3 Malicious Code Protection Protects T1027 Obfuscated Files or Information
SI-3 Malicious Code Protection Protects T1027.002 Software Packing
SI-3 Malicious Code Protection Protects T1029 Scheduled Transfer
SI-3 Malicious Code Protection Protects T1030 Data Transfer Size Limits
SI-3 Malicious Code Protection Protects T1036 Masquerading
SI-3 Malicious Code Protection Protects T1036.003 Rename System Utilities
SI-3 Malicious Code Protection Protects T1036.005 Match Legitimate Name or Location
SI-3 Malicious Code Protection Protects T1037 Boot or Logon Initialization Scripts
SI-3 Malicious Code Protection Protects T1037.002 Logon Script (Mac)
SI-3 Malicious Code Protection Protects T1037.003 Network Logon Script
SI-3 Malicious Code Protection Protects T1037.004 RC Scripts
SI-3 Malicious Code Protection Protects T1037.005 Startup Items
SI-3 Malicious Code Protection Protects T1041 Exfiltration Over C2 Channel
SI-3 Malicious Code Protection Protects T1046 Network Service Scanning
SI-3 Malicious Code Protection Protects T1047 Windows Management Instrumentation
SI-3 Malicious Code Protection Protects T1048 Exfiltration Over Alternative Protocol
SI-3 Malicious Code Protection Protects T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
SI-3 Malicious Code Protection Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
SI-3 Malicious Code Protection Protects T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
SI-3 Malicious Code Protection Protects T1052 Exfiltration Over Physical Medium
SI-3 Malicious Code Protection Protects T1052.001 Exfiltration over USB
SI-3 Malicious Code Protection Protects T1055 Process Injection
SI-3 Malicious Code Protection Protects T1055.001 Dynamic-link Library Injection
SI-3 Malicious Code Protection Protects T1055.002 Portable Executable Injection
SI-3 Malicious Code Protection Protects T1055.003 Thread Execution Hijacking
SI-3 Malicious Code Protection Protects T1055.004 Asynchronous Procedure Call
SI-3 Malicious Code Protection Protects T1055.005 Thread Local Storage
SI-3 Malicious Code Protection Protects T1055.008 Ptrace System Calls
SI-3 Malicious Code Protection Protects T1055.009 Proc Memory
SI-3 Malicious Code Protection Protects T1055.011 Extra Window Memory Injection
SI-3 Malicious Code Protection Protects T1055.012 Process Hollowing
SI-3 Malicious Code Protection Protects T1055.013 Process Doppelgänging
SI-3 Malicious Code Protection Protects T1055.014 VDSO Hijacking
SI-3 Malicious Code Protection Protects T1056.002 GUI Input Capture
SI-3 Malicious Code Protection Protects T1059 Command and Scripting Interpreter
SI-3 Malicious Code Protection Protects T1059.001 PowerShell
SI-3 Malicious Code Protection Protects T1059.002 AppleScript
SI-3 Malicious Code Protection Protects T1059.003 Windows Command Shell
SI-3 Malicious Code Protection Protects T1059.004 Unix Shell
SI-3 Malicious Code Protection Protects T1059.005 Visual Basic
SI-3 Malicious Code Protection Protects T1059.006 Python
SI-3 Malicious Code Protection Protects T1059.007 JavaScript
SI-3 Malicious Code Protection Protects T1059.008 Network Device CLI
SI-3 Malicious Code Protection Protects T1068 Exploitation for Privilege Escalation
SI-3 Malicious Code Protection Protects T1070 Indicator Removal on Host
SI-3 Malicious Code Protection Protects T1070.001 Clear Windows Event Logs
SI-3 Malicious Code Protection Protects T1070.002 Clear Linux or Mac System Logs
SI-3 Malicious Code Protection Protects T1070.003 Clear Command History
SI-3 Malicious Code Protection Protects T1071 Application Layer Protocol
SI-3 Malicious Code Protection Protects T1071.001 Web Protocols
SI-3 Malicious Code Protection Protects T1071.002 File Transfer Protocols
SI-3 Malicious Code Protection Protects T1071.003 Mail Protocols
SI-3 Malicious Code Protection Protects T1071.004 DNS
SI-3 Malicious Code Protection Protects T1072 Software Deployment Tools
SI-3 Malicious Code Protection Protects T1080 Taint Shared Content
SI-3 Malicious Code Protection Protects T1090 Proxy
SI-3 Malicious Code Protection Protects T1090.001 Internal Proxy
SI-3 Malicious Code Protection Protects T1090.002 External Proxy
SI-3 Malicious Code Protection Protects T1091 Replication Through Removable Media
SI-3 Malicious Code Protection Protects T1092 Communication Through Removable Media
SI-3 Malicious Code Protection Protects T1095 Non-Application Layer Protocol
SI-3 Malicious Code Protection Protects T1098.004 SSH Authorized Keys
SI-3 Malicious Code Protection Protects T1102 Web Service
SI-3 Malicious Code Protection Protects T1102.001 Dead Drop Resolver
SI-3 Malicious Code Protection Protects T1102.002 Bidirectional Communication
SI-3 Malicious Code Protection Protects T1102.003 One-Way Communication
SI-3 Malicious Code Protection Protects T1104 Multi-Stage Channels
SI-3 Malicious Code Protection Protects T1105 Ingress Tool Transfer
SI-3 Malicious Code Protection Protects T1106 Native API
SI-3 Malicious Code Protection Protects T1111 Two-Factor Authentication Interception
SI-3 Malicious Code Protection Protects T1132 Data Encoding
SI-3 Malicious Code Protection Protects T1132.001 Standard Encoding
SI-3 Malicious Code Protection Protects T1132.002 Non-Standard Encoding
SI-3 Malicious Code Protection Protects T1137 Office Application Startup
SI-3 Malicious Code Protection Protects T1137.001 Office Template Macros
SI-3 Malicious Code Protection Protects T1176 Browser Extensions
SI-3 Malicious Code Protection Protects T1185 Browser Session Hijacking
SI-3 Malicious Code Protection Protects T1189 Drive-by Compromise
SI-3 Malicious Code Protection Protects T1190 Exploit Public-Facing Application
SI-3 Malicious Code Protection Protects T1201 Password Policy Discovery
SI-3 Malicious Code Protection Protects T1203 Exploitation for Client Execution
SI-3 Malicious Code Protection Protects T1204 User Execution
SI-3 Malicious Code Protection Protects T1204.001 Malicious Link
SI-3 Malicious Code Protection Protects T1204.002 Malicious File
SI-3 Malicious Code Protection Protects T1204.003 Malicious Image
SI-3 Malicious Code Protection Protects T1210 Exploitation of Remote Services
SI-3 Malicious Code Protection Protects T1211 Exploitation for Defense Evasion
SI-3 Malicious Code Protection Protects T1212 Exploitation for Credential Access
SI-3 Malicious Code Protection Protects T1218 Signed Binary Proxy Execution
SI-3 Malicious Code Protection Protects T1218.001 Compiled HTML File
SI-3 Malicious Code Protection Protects T1218.002 Control Panel
SI-3 Malicious Code Protection Protects T1218.003 CMSTP
SI-3 Malicious Code Protection Protects T1218.004 InstallUtil
SI-3 Malicious Code Protection Protects T1218.005 Mshta
SI-3 Malicious Code Protection Protects T1218.008 Odbcconf
SI-3 Malicious Code Protection Protects T1218.009 Regsvcs/Regasm
SI-3 Malicious Code Protection Protects T1218.012 Verclsid
SI-3 Malicious Code Protection Protects T1218.013 Mavinject
SI-3 Malicious Code Protection Protects T1218.014 MMC
SI-3 Malicious Code Protection Protects T1219 Remote Access Software
SI-3 Malicious Code Protection Protects T1221 Template Injection
SI-3 Malicious Code Protection Protects T1485 Data Destruction
SI-3 Malicious Code Protection Protects T1486 Data Encrypted for Impact
SI-3 Malicious Code Protection Protects T1490 Inhibit System Recovery
SI-3 Malicious Code Protection Protects T1491 Defacement
SI-3 Malicious Code Protection Protects T1491.001 Internal Defacement
SI-3 Malicious Code Protection Protects T1491.002 External Defacement
SI-3 Malicious Code Protection Protects T1505.004 IIS Components
SI-3 Malicious Code Protection Protects T1525 Implant Internal Image
SI-3 Malicious Code Protection Protects T1539 Steal Web Session Cookie
SI-3 Malicious Code Protection Protects T1543 Create or Modify System Process
SI-3 Malicious Code Protection Protects T1543.002 Systemd Service
SI-3 Malicious Code Protection Protects T1546.002 Screensaver
SI-3 Malicious Code Protection Protects T1546.003 Windows Management Instrumentation Event Subscription
SI-3 Malicious Code Protection Protects T1546.004 Unix Shell Configuration Modification
SI-3 Malicious Code Protection Protects T1546.006 LC_LOAD_DYLIB Addition
SI-3 Malicious Code Protection Protects T1546.013 PowerShell Profile
SI-3 Malicious Code Protection Protects T1546.014 Emond
SI-3 Malicious Code Protection Protects T1547.002 Authentication Package
SI-3 Malicious Code Protection Protects T1547.005 Security Support Provider
SI-3 Malicious Code Protection Protects T1547.006 Kernel Modules and Extensions
SI-3 Malicious Code Protection Protects T1547.007 Re-opened Applications
SI-3 Malicious Code Protection Protects T1547.008 LSASS Driver
SI-3 Malicious Code Protection Protects T1547.013 XDG Autostart Entries
SI-3 Malicious Code Protection Protects T1548 Abuse Elevation Control Mechanism
SI-3 Malicious Code Protection Protects T1548.004 Elevated Execution with Prompt
SI-3 Malicious Code Protection Protects T1553.003 SIP and Trust Provider Hijacking
SI-3 Malicious Code Protection Protects T1557 Adversary-in-the-Middle
SI-3 Malicious Code Protection Protects T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
SI-3 Malicious Code Protection Protects T1557.002 ARP Cache Poisoning
SI-3 Malicious Code Protection Protects T1558 Steal or Forge Kerberos Tickets
SI-3 Malicious Code Protection Protects T1558.002 Silver Ticket
SI-3 Malicious Code Protection Protects T1558.003 Kerberoasting
SI-3 Malicious Code Protection Protects T1558.004 AS-REP Roasting
SI-3 Malicious Code Protection Protects T1559 Inter-Process Communication
SI-3 Malicious Code Protection Protects T1559.001 Component Object Model
SI-3 Malicious Code Protection Protects T1559.002 Dynamic Data Exchange
SI-3 Malicious Code Protection Protects T1560 Archive Collected Data
SI-3 Malicious Code Protection Protects T1560.001 Archive via Utility
SI-3 Malicious Code Protection Protects T1561 Disk Wipe
SI-3 Malicious Code Protection Protects T1561.001 Disk Content Wipe
SI-3 Malicious Code Protection Protects T1561.002 Disk Structure Wipe
SI-3 Malicious Code Protection Protects T1562 Impair Defenses
SI-3 Malicious Code Protection Protects T1562.001 Disable or Modify Tools
SI-3 Malicious Code Protection Protects T1562.002 Disable Windows Event Logging
SI-3 Malicious Code Protection Protects T1562.004 Disable or Modify System Firewall
SI-3 Malicious Code Protection Protects T1562.006 Indicator Blocking
SI-3 Malicious Code Protection Protects T1564.004 NTFS File Attributes
SI-3 Malicious Code Protection Protects T1564.008 Email Hiding Rules
SI-3 Malicious Code Protection Protects T1564.009 Resource Forking
SI-3 Malicious Code Protection Protects T1566 Phishing
SI-3 Malicious Code Protection Protects T1566.001 Spearphishing Attachment
SI-3 Malicious Code Protection Protects T1566.002 Spearphishing Link
SI-3 Malicious Code Protection Protects T1566.003 Spearphishing via Service
SI-3 Malicious Code Protection Protects T1567 Exfiltration Over Web Service
SI-3 Malicious Code Protection Protects T1568 Dynamic Resolution
SI-3 Malicious Code Protection Protects T1568.002 Domain Generation Algorithms
SI-3 Malicious Code Protection Protects T1569 System Services
SI-3 Malicious Code Protection Protects T1569.002 Service Execution
SI-3 Malicious Code Protection Protects T1570 Lateral Tool Transfer
SI-3 Malicious Code Protection Protects T1571 Non-Standard Port
SI-3 Malicious Code Protection Protects T1572 Protocol Tunneling
SI-3 Malicious Code Protection Protects T1573 Encrypted Channel
SI-3 Malicious Code Protection Protects T1573.001 Symmetric Cryptography
SI-3 Malicious Code Protection Protects T1573.002 Asymmetric Cryptography
SI-3 Malicious Code Protection Protects T1574 Hijack Execution Flow
SI-3 Malicious Code Protection Protects T1574.001 DLL Search Order Hijacking
SI-3 Malicious Code Protection Protects T1574.004 Dylib Hijacking
SI-3 Malicious Code Protection Protects T1574.007 Path Interception by PATH Environment Variable
SI-3 Malicious Code Protection Protects T1574.008 Path Interception by Search Order Hijacking
SI-3 Malicious Code Protection Protects T1574.009 Path Interception by Unquoted Path
SI-3 Malicious Code Protection Protects T1598 Phishing for Information
SI-3 Malicious Code Protection Protects T1598.001 Spearphishing Service
SI-3 Malicious Code Protection Protects T1598.002 Spearphishing Attachment
SI-3 Malicious Code Protection Protects T1598.003 Spearphishing Link
SI-3 Malicious Code Protection Protects T1602 Data from Configuration Repository
SI-3 Malicious Code Protection Protects T1602.001 SNMP (MIB Dump)
SI-3 Malicious Code Protection Protects T1602.002 Network Device Configuration Dump
SI-3 Malicious Code Protection Protects T1611 Escape to Host