Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

System Binary Proxy Execution

Sub-techniques (13)

ID	Name
.001	Compiled HTML File
.002	Control Panel
.003	CMSTP
.004	InstallUtil
.005	Mshta
.007	Msiexec
.008	Odbcconf
.009	Regsvcs/Regasm
.010	Regsvr32
.011	Rundll32
.012	Verclsid
.013	Mavinject
.014	MMC

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

ID: T1218

Sub-techniques: .001 .002 .003 .004 .005 .007 .008 .009 .010 .011 .012 .013 .014

Tactic(s): Defense Evasion

Platforms: Linux, macOS, Windows

Data Sources: Command: Command Execution, File: File Creation, Module: Module Load, Network Traffic: Network Connection Creation, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Modification

Version: 3.0

Created: 18 Apr 2018

Last Modified: 18 Apr 2022

Name	Description
Procedure Examples
Lazarus Group	Lazarus Group lnk files used for persistence have abused the Windows Update Client (`wuauclt.exe`) to execute a malicious DLL.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

Mitigation	Description
Mitigations
Exploit Protection	Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Privileged Account Management	Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Execution Prevention	Block execution of code on a system through application control, and/or script blocking.
Disable or Remove Feature or Program	Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Detection

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.