Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

ID: T1574
Tactic(s): Defense Evasion, Persistence, Privilege Escalation
Platforms: Linux, macOS, Windows
Data Sources: Command: Command Execution, File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Version: 1.2
Created: 12 Mar 2020
Last Modified: 21 Nov 2023

Procedure Examples

Name Description
DarkGate

DarkGate edits the Registry key HKCU\Software\Classes\mscfile\shell\open\command to execute a malicious AutoIt script.(Citation: Ensilo Darkgate 2018) When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key.

Dtrack

One of Dtrack can replace the normal flow of a program execution with malicious code.(Citation: CyberBit Dtrack)

ShimRat

ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.(Citation: FOX-IT May 2016 Mofang)

Raspberry Robin

Raspberry Robin will drop a copy of itself to a subfolder in %Program Data% or %Program Data%\\Microsoft\\ to attempt privilege elevation and defense evasion if not running in Session 0.(Citation: TrendMicro RaspberryRobin 2022)

Pikabot Distribution February 2024 utilized a tampered legitimate executable, `grepWinNP3.exe`, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched.(Citation: Elastic Pikabot 2024)

Denis

Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.(Citation: Cybereason Cobalt Kitty 2017)

Nightdoor

Nightdoor uses a legitimate executable to load a malicious DLL file for installation.(Citation: Symantec Daggerfly 2024)

During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.(Citation: Mandiant APT41)

COATHANGER

COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as `read(2)`.(Citation: NCSC-NL COATHANGER Feb 2024)

Saint Bot

Saint Bot will use the malicious file slideshow.mp4 if present to load the core API provided by ntdll.dll to avoid any hooks placed on calls to the original ntdll.dll file by endpoint detection and response or antimalware software.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Mitigations

Mitigation Description
User Account Control

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Restrict Library Loading

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Update Software

Perform regular software updates to mitigate exploitation risk.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.

Detection

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. Monitor for changes to environment variables, as well as the commands to implement these changes. Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.

References

  1. Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.
  2. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  3. Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.
  4. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  5. Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.
  6. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.
  7. PowerSploit. (n.d.). Retrieved December 4, 2014.
  8. Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.
  9. Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.
  10. Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.
  11. Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.
  12. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  13. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  14. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  15. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  16. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  17. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  18. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  19. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.