Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Process Injection: VDSO Hijacking

Other sub-techniques of Process Injection (12)

ID	Name
.001	Dynamic-link Library Injection
.002	Portable Executable Injection
.003	Thread Execution Hijacking
.004	Asynchronous Procedure Call
.005	Thread Local Storage
.008	Ptrace System Calls
.009	Proc Memory
.011	Extra Window Memory Injection
.012	Process Hollowing
.013	Process Doppelgänging
.014	VDSO Hijacking
.015	ListPlanting

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1055.014

Sub-technique of: T1055

Tactic(s): Defense Evasion, Privilege Escalation

Platforms: Linux

Data Sources: Module: Module Load, Process: OS API Execution

Version: 1.1

Created: 14 Jan 2020

Last Modified: 07 Jul 2022

Mitigation	Description
Mitigations
Behavior Prevention on Endpoint	Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Detection

Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)(Citation: GNU Acct)(Citation: RHEL auditd)(Citation: Chokepoint preload rootkits) Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.