External malicious code identification differs from decoys in SC-26 in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| SC-35 | External Malicious Code Identification | Protects | T1210 | Exploitation of Remote Services |
| SC-35 | External Malicious Code Identification | Protects | T1211 | Exploitation for Defense Evasion |
| SC-35 | External Malicious Code Identification | Protects | T1068 | Exploitation for Privilege Escalation |
| SC-35 | External Malicious Code Identification | Protects | T1212 | Exploitation for Credential Access |