Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Modify Authentication Process: Network Device Authentication

Other sub-techniques of Modify Authentication Process (7)

ID	Name
.001	Domain Controller Authentication
.002	Password Filter DLL
.003	Pluggable Authentication Modules
.004	Network Device Authentication
.005	Reversible Encryption
.006	Multi-Factor Authentication
.007	Hybrid Identity

Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)

ID: T1556.004

Sub-technique of: T1556

Tactic(s): Credential Access, Defense Evasion, Persistence

Platforms: Network

Permissions Required: Administrator

Data Sources: File: File Modification

Version: 2.0

Created: 19 Oct 2020

Last Modified: 14 Dec 2021

Name	Description
Procedure Examples
SYNful Knock	SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.(Citation: Mandiant - Synful Knock)

Mitigation	Description
Mitigations
Privileged Account Management	Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Multi-factor Authentication	Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Detection

Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as Modify System Image.

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.