Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Стеганография
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Стеганография
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Data Obfuscation:  Стеганография

ID Название
.001 Мусорные данные
.002 Стеганография
.003 Имитация протокола

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

ID: T1001.002
Относится к технике:  T1001
Тактика(-и): Command and Control
Платформы: Linux, macOS, Windows
Источники данных: Network Traffic: Network Traffic Content
Версия: 1.0
Дата создания: 15 Mar 2020
Последнее изменение: 15 Mar 2020

Примеры процедур
Название Описание
Axiom

Axiom has used steganography to hide its C2 communications.(Citation: Novetta-Axiom)
HAMMERTOSS

HAMMERTOSS is controlled via commands that are appended to image files.(Citation: FireEye APT29)
Sliver

Sliver can encode binary data into a .PNG file for C2 communication.(Citation: GitHub Sliver HTTP)
Zox

Zox has used the .PNG file format for C2 communications.(Citation: Novetta-Axiom)
LightNeuron

LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.(Citation: ESET LightNeuron May 2019)
ZeroT

ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.(Citation: Proofpoint TA459 April 2017)(Citation: Proofpoint ZeroT Feb 2017)
APT29

APT29 has used steganography to hide C2 communications in images.(Citation: ESET Dukes October 2019)
Daserf

Daserf can use steganography to hide malicious code downloaded to the victim.(Citation: Trend Micro Daserf Nov 2017)
RDAT

RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.(Citation: Unit42 RDAT July 2020)

Duqu

When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.(Citation: Symantec W32.Duqu)
SUNBURST

SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: FireEye SUNBURST Additional Details Dec 2020)(Citation: Symantec Sunburst Sending Data January 2021)

Контрмеры
Контрмера Описание
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Обнаружение

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

Ссылки

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  2. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  3. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  4. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  5. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  6. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  7. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  8. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  9. BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
  10. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  11. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  12. Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021.
  13. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  14. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.