Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Event Triggered Execution

Sub-techniques (17)

ID	Name
.001	Change Default File Association
.002	Screensaver
.003	Windows Management Instrumentation Event Subscription
.004	Unix Shell Configuration Modification
.005	Trap
.006	LC_LOAD_DYLIB Addition
.007	Netsh Helper DLL
.008	Accessibility Features
.009	AppCert DLLs
.010	AppInit DLLs
.011	Application Shimming
.012	Image File Execution Options Injection
.013	PowerShell Profile
.014	Emond
.015	Component Object Model Hijacking
.016	Installer Packages
.017	Udev Rules

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

ID: T1546

Sub-techniques: .001 .002 .003 .004 .005 .006 .007 .008 .009 .010 .011 .012 .013 .014 .015 .016 .017

Tactic(s): Persistence, Privilege Escalation

Platforms: IaaS, Linux, macOS, Office Suite, SaaS, Windows

Data Sources: Cloud Service: Cloud Service Modification, Command: Command Execution, File: File Creation, File: File Metadata, File: File Modification, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification, WMI: WMI Creation

Version: 1.4

Created: 22 Jan 2020

Last Modified: 15 Oct 2024

Name	Description
Procedure Examples
Pacu	Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.(Citation: GitHub Pacu)
	KV Botnet Activity involves managing events on victim systems via `libevent` to execute a callback function when any running process contains the following references in their path without also having a reference to `bioset`: busybox, wget, curl, tftp, telnetd, or lua. If the `bioset` string is not found, the related process is terminated.(Citation: Lumen KVBotnet 2023)

Mitigation	Description
Mitigations
Privileged Account Management	Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Update Software	Perform regular software updates to mitigate exploitation risk.

Detection

Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. These mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. Monitor for processes, API/System calls, and other common ways of manipulating these event repositories. Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.