Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Ignore Process Interrupts
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Ignore Process Interrupts
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Hide Artifacts:  Ignore Process Interrupts

ID Name
.001 Hidden Files and Directories
.002 Hidden Users
.003 Hidden Window
.004 NTFS File Attributes
.005 Hidden File System
.006 Run Virtual Instance
.007 VBA Stomping
.008 Email Hiding Rules
.009 Resource Forking
.010 Process Argument Spoofing
.011 Ignore Process Interrupts
.012 File/Path Exclusions

Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. Adversaries may invoke processes using `nohup`, PowerShell `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection. Hiding from process interrupt signals may allow malware to continue execution, but unlike Trap this does not establish Persistence since the process will not be re-invoked once actually terminated.

ID: T1564.011
Sub-technique of:  T1564
Tactic(s): Defense Evasion
Platforms: Linux, macOS, Windows
Data Sources: Command: Command Execution, Process: Process Creation
Created: 24 Aug 2023
Last Modified: 06 Nov 2023

Procedure Examples
Name Description
GoldMax

The GoldMax Linux variant has been executed with the `nohup` command to ignore hangup signals and continue to run if the terminal session was terminated.(Citation: CrowdStrike StellarParticle January 2022)
OSX/Shlayer

OSX/Shlayer has used the `nohup` command to instruct executed payloads to ignore hangup signals.(Citation: Shlayer jamf gatekeeper bypass 2021)
BPFDoor

BPFDoor set's it's process to ignore the following signals; `SIGHUP`, `SIGINT`, `SIGQUIT`, `SIGPIPE`, `SIGCHLD`, `SIGTTIN`, and `SIGTTOU`.(Citation: Deep Instinct BPFDoor 2023)

References

  1. Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.
  2. Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.
  3. Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.
  4. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  5. Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.
  6. Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.