Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Server Software Component
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Server Software Component
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Server Software Component

ID Name
.001 SQL Stored Procedures
.002 Transport Agent
.003 Web Shell
.004 IIS Components
.005 Terminal Services DLL

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

ID: T1505
Sub-techniques:  .001 .002 .003 .004 .005
Tactic(s): Persistence
Platforms: Linux, macOS, Network, Windows
Data Sources: Application Log: Application Log Content, File: File Creation, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Version: 1.4
Created: 28 Jun 2019
Last Modified: 19 Oct 2022

Mitigations
Mitigation Description
Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.
Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Detection

Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)

References

  1. US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
  2. Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.
  3. NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021.
  4. Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021.
  5. Microsoft. (2018, February 17). Windows System Services Fundamentals. Retrieved March 28, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.