Каталоги
- Сертификаты СЗИ - Государственный реестр сертифицированных средств защиты информации опубликованный Федеральной службой по техническому и экспортному контролю, может быть использован для контроля актуальности используемых СЗИ в организации.
- CVE уязвимости - общедоступная публичная база уязвимостей Common Vulnerabilities and Exposures (CVE). Миссия программы CVE заключается в выявлении, определении и каталогизации публично раскрываемых уязвимостей в сфере кибербезопасности. Для каждой уязвимости в каталоге существует одна запись CVE. Уязвимости обнаруживаются, затем присваиваются и публикуются организациями по всему миру, которые сотрудничают с программой CVE. Партнеры публикуют записи CVE для единообразного описания уязвимостей. Специалисты в области информационных технологий и кибербезопасности используют записи CVE, чтобы убедиться, что они обсуждают одну и ту же проблему, и координировать свои усилия по определению приоритетности и устранению уязвимостей.
- БДУ ФСТЭК уязвимости - раздел Уязвимости Банка данных уязвимостей опубликованная Федеральной службой по техническому и экспортному контролю совместно с Государственным научно-исследовательским испытательным институтом проблем технической защиты информации. Одной из целей создания банка данных угроз безопасности информации является объединение специалистов в области информационной безопасности для решения задач повышения защищенности информационных систем.
- НКЦКИ уязвимости - общедоступная публичная база уязвимостей Национального координационного центра по компьютерным инцидентам (НКЦКИ), обеспечивающего координацию деятельности субъектов КИИ по обнаружению, предупреждению, ликвидации последствий компьютерных атак и реагированию на компьютерные инциденты.
- MITRE ATT&CK – Adversarial Tactics, Techniques & Common Knowledge – Тактики, техники и общеизвестные знания о злоумышленниках. Это основанная на реальных наблюдениях база знаний компании Mitre, содержащая описание тактик, приемов и методов, используемых киберпреступниками. База создана в 2013 году и регулярно обновляется, цель – составление структурированной матрицы используемых киберпреступниками приемов, чтобы упростить задачу реагирования на киберинциденты.
- БДУ ФСТЭК и Новая БДУ ФСТЭК – раздел Угрозы Банка данных угроз, опубликованный в 2015 году Федеральной службой по техническому и экспортному контролю и Государственным научно-исследовательским испытательным институтом проблем технической защиты информации, обязателен при моделировании угроз при построении систем защиты персональных данных, критической информационной инфраструктуры, государственных информационных систем.
CVE, БДУ ФСТЭК и НКЦКИ
Интерфейс каталогов идентичен и содержит следующие блоки:
- Метрики:
- Найденные уязвимости – отображает количество найденных в отчетах от сканеров уязвимостей которые связаны с уязвимостями из каталога, при нажатии на виджет перенаправляет в модуль Технические уязвимости с установленным фильтром по названию каталога (тип фильтра Группа уязвимостей);
- Уязвимые хосты – отображает количество хостов на которых обнаружены уязвимости связанные с уязвимостями из каталога, при нажатии на виджет перенаправляет в модуль Технические уязвимости с установленным фильтром по названию каталога (тип фильтра Группа уязвимостей).
- Табличную часть Каталог уязвимостей:
- Фильтр по полю Идентификатор - особенностью данного фильтра является автоматический разбор текста с последующим извлечением из текста идентификаторов. Для этого необходимо вставить произвольный текст с идентификаторами в поле и добавить в фильтр через кнопку плюс;
- Табличную часть с полями для каталогов CVE и БДУ ФСТЭК:
- Идентификатор - id уязвимости в базе уязвимостей;
- Описание - текстовое описание уязвимости;
- Обнаружено - флаг, данный статус отображается если уязвимость обнаружена в отчетах о сканировании;
- CVSS - числовая оценка уязвимости согласно источнику, с указанием даты выявления уязвимости экспертами, оценка отображается цветом согласно оценке CVSS 0.1 – 3.9 Low Зеленый,
4.0 – 6.9 Medium Желтый, 7.0 – 8.9 High Оранжевый, 9.0 – 10.0 Critical Красный.
- Табличную часть с полями для каталогов CVE :
- Дата бюллетеня - информация о дате публикации бюллетеня содержащего уязвимости;
- Идентификатор - id уязвимости в базе уязвимостей;
- Информация - текстовое описание уязвимости;
- Вектор атаки - локальный или сетевой вектор атаки;
- Обнаружено - флаг, данный статус отображается если уязвимость обнаружена в отчетах о сканировании;
- Наличие обновления - - флаг, данный статус отображается если база уязвимостей содержит информацию о наличии обновлений от производителя уязвимого ПО;
- Дата выявления - даты выявления уязвимости экспертами.
- Чекбокс «Только обнаруженные уязвимости» - устанавливает фильтр на табличную часть для отображения только обнаруженные уязвимости.
- Функционал для экспорта всех уязвимостей каталога.
- Для каталога добавляется функционал Варианты отображения:
- Бюллетени - изменяет отображение табличной части на реестр бюллетеней, отображает общее количество уязвимостей в бюллетени в поле Уязвимостей в бюллетени и статус по обнаружению в поле Обнаружено - данный статус отображается если хотя бы одна уязвимость из бюллетеня обнаружена в инфраструктуре.
- Уязвимости.
MITRE ATT&CK, БДУ ФСТЭК, Новая БДУ ФСТЭК
Каждый из указанных каталогов сформирован по собственной схеме данных, которая не соответствует подходу оценки риска, используемому в сервисе. Но в основе своей указанные базы описывают все те же риски информационной безопасности, каждый под своим углом. Поэтому они добавлены в сервис и как отдельные компоненты и как основа для создания рисков, угроз или уязвимостей.
Каталоги могут использоваться в сервисе с целью:
- Облегчения процесса формирования рисков, угроз и уязвимостей;
- Обогащения информации по рискам (угрозам, уязвимостям) созданным в сервисе.
- Взгляда на компанию и оценку рисков через публичные каталоги угроз.
- Уязвимости могут быть связаны с угрозами БДУ ФСТЭК, техниками ATT&CK и способами реализации Новой БДУ ФСТЭК.
- Угрозы могут быть связаны с угрозами БДУ ФСТЭК, техниками ATT&CK, угрозами и последствиями Новой БДУ ФСТЭК.
- Риски могут быть связаны с угрозами БДУ ФСТЭК, техниками ATT&CK, угрозами, способами реализации и последствиями Новой БДУ ФСТЭК.
Для рисков, угроз и уязвимостей из базы Community связи с каталогами угроз уже установлены.
Связь с каталогом угроз может быть прямой или косвенной. Например, если уязвимость связана с угрозой из БДУ ФСТЭК то и все риски, в составе которых есть данная уязвимость будут автоматически связаны с угрозой из БДУ ФСТЭК.
Каталог БДУ ФСТЭК - это реестр рисков от банка данных угроз безопасности информации ФСТЭК России.
Каждая угроза содержит описание, рекомендации к каким типам активов может быть применена эта угроза, классификация по свойствам информации и вероятные источники угрозы. Дополнительно в блоке Связанные риски указаны связанные риски, а в блоке Каталоги указываются связи с записями из других каталогов.
Каталог Новая БДУ ФСТЭК от банка данных угроз безопасности информации ФСТЭК России содержит:
- матрицу Способы реализации (возникновения угроз) - каждая ячейка которых содержит описание поверхности атаки: группу способов, уровень возможностей нарушителя, возможные реализуемые угрозы, компоненты объектов воздействия, возможные меры защиты;
- Негативные последствия - перечень негативных последствий в классификации ФСТЭК в виде кода и описания;
- Угрозы - реестр угроз с описанием, каждая угроза содержит возможные объекты воздействия и возможные способы реализации угроз;
- Объекты - перечень объектов последствий с описанием и компонентами которые могут входить в состав объекта;
- Компоненты - перечень компонентов объектов воздействия с указанием объектов воздействия на которых они могут располагаться;
- Нарушители - уровни возможностей нарушителей классифицированные по возможностям и компетенции;
- Меры защиты - в терминологии SECURITM это список требований выполнение которых сокращает возможности нарушителя.
- Матрица - содержит тактики и техники злоумышленника, позволяет на основании тактики или техники создать риск или уязвимость, в матрице указаны связи с рисками в базе Community и с рисками в базе команды;
- Тактики - направления действия нарушителя на том или ином этапе cyberkillchane;
- Техники - конкретные действия нарушителя для достижения цели на конкретном шаге cyberkillchane;
- Контрмеры - в терминологии SECURITM это список требований выполнение которых сокращает возможности нарушителя;
- Преступные группы - описание APT группировок и их особенности и модель поведения;
- Инструменты - ПО используемое нарушителями для вредоносного воздействия.
Сертификаты СЗИ
- Имеющиеся СЗИ - отображает количество активов у которых заполнено поле Номер сертификата СЗИ;
- Скоро будут просрочены - отображает количество активов у которых срок действия сертификата меньше 90 календарных дней;
- Просроченные сертификаты - отображает количество активов у которых срок действия сертификата уже истек;
- Истекшая поддержка - отображает количество активов у которых срок действия сертификата уже истек.
- Номер сертификата;
- Дата внесения в реестр;
- Срок действия сертификата;
- Срок окончания тех. поддержки;
- Наименование средства (шифр);
- Схема сертификации;
- Испытательная лаборатория;
- Орган по сертификации;
- Заявитель;
- Наименования документов соответствия;
- Реквизиты заявителя.
Внедрение кода в процессы
Sub-techniques (12)
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
Примеры процедур |
|
| Название | Описание |
|---|---|
| TrickBot |
TrickBot has used |
| Ninja |
Ninja has the ability to inject an agent module into a new process and arbitrary shellcode into running processes.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Wiarp |
Wiarp creates a backdoor through which remote attackers can inject files into running processes.(Citation: Symantec Wiarp May 2012) |
| Bumblebee |
Bumblebee can inject code into multiple processes on infected endpoints.(Citation: Cybereason Bumblebee August 2022) |
| Backdoor.Oldrea |
Backdoor.Oldrea injects itself into explorer.exe.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021) |
| COATHANGER |
COATHANGER includes a binary labeled `authd` that can inject a library into a running process and then hook an existing function within that process with a new function from that library.(Citation: NCSC-NL COATHANGER Feb 2024) |
| Smoke Loader |
Smoke Loader injects into the Internet Explorer process.(Citation: Talos Smoke Loader July 2018) |
| Sliver |
Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine.(Citation: Microsoft Sliver 2022)(Citation: Cybereason Sliver Undated)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2) |
| SILENTTRINITY |
SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| AuditCred |
AuditCred can inject code from files to other running processes.(Citation: TrendMicro Lazarus Nov 2018) |
| NETWIRE |
NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.(Citation: Red Canary NETWIRE January 2020) |
| DUSTTRAP |
DUSTTRAP compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of retrieved plug-ins.(Citation: Google Cloud APT41 2024) |
| Empire |
Empire contains multiple modules for injecting into processes, such as |
| BADHATCH |
BADHATCH can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
| Avenger |
Avenger has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019) |
| PcShare |
The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| Woody RAT |
Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread.(Citation: MalwareBytes WoodyRAT Aug 2022) |
| BlackByte 2.0 Ransomware |
BlackByte 2.0 Ransomware injects into a newly-created `svchost.exe` process prior to device encryption.(Citation: Microsoft BlackByte 2023) |
| HOPLIGHT |
HOPLIGHT has injected into running processes.(Citation: US-CERT HOPLIGHT Apr 2019) |
| GuLoader |
GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.(Citation: Medium Eli Salem GuLoader April 2021) |
| InvisiMole |
InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.(Citation: ESET InvisiMole June 2020) |
| PoshC2 |
PoshC2 contains multiple modules for injecting into processes, such as |
| Mispadu |
Mispadu's binary is injected into memory via `WriteProcessMemory`.(Citation: Segurança Informática URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021) |
| NavRAT |
NavRAT copies itself into a running Internet Explorer process to evade detection.(Citation: Talos NavRAT May 2018) |
| CostaBricks |
CostaBricks can inject a payload into the memory of a compromised host.(Citation: BlackBerry CostaRicto November 2020) |
| HyperBro |
HyperBro can run shellcode it injects into a newly created process.(Citation: Unit42 Emissary Panda May 2019) |
| ROKRAT |
ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`.(Citation: Malwarebytes RokRAT VBA January 2021) |
| Dyre |
Dyre has the ability to directly inject its code into the web browser process.(Citation: Malwarebytes Dyreza November 2015) |
| Clambling |
Clambling can inject into the `svchost.exe` process for execution.(Citation: Trend Micro DRBControl February 2020) |
| Agent Tesla |
Agent Tesla can inject into known, vulnerable binaries on targeted hosts.(Citation: SentinelLabs Agent Tesla Aug 2020) |
| Gazer |
Gazer injects its communication module into an Internet accessible process through which it performs C2.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
| TSCookie |
TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes.(Citation: JPCert BlackTech Malware September 2019) |
| Remcos |
Remcos has a command to hide itself through injecting into another process.(Citation: Fortinet Remcos Feb 2017) |
| gh0st RAT |
gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function.(Citation: Gh0stRAT ATT March 2019) |
| JHUHUGIT |
JHUHUGIT performs code injection injecting its own functions to browser processes.(Citation: F-Secure Sofacy 2015)(Citation: Unit 42 Sofacy Feb 2018) |
| StoneDrill |
StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.(Citation: Kaspersky StoneDrill 2017) |
| Attor |
Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection.(Citation: ESET Attor Oct 2019) |
| Bazar |
Bazar can inject code through calling |
| Ryuk |
Ryuk has injected itself into remote processes to encrypt files using a combination of |
| ABK |
ABK has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019) |
| Pandora |
Pandora can start and inject code into a new `svchost` process.(Citation: Trend Micro Iron Tiger April 2021) |
| Cobalt Strike |
Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.(Citation: cobaltstrike manual) |
| Cobalt Strike |
Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021) |
| Donut |
Donut includes a subproject |
| Wingbird |
Wingbird performs multiple process injections to hijack system processes and execute malicious code.(Citation: Microsoft SIR Vol 21) |
| REvil |
REvil can inject itself into running processes on a compromised host.(Citation: McAfee REvil October 2019) |
| IronNetInjector |
IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process.(Citation: Unit 42 IronNetInjector February 2021 ) |
| Cardinal RAT |
Cardinal RAT injects into a newly spawned process created from a native Windows executable.(Citation: PaloAlto CardinalRat Apr 2017) |
| Egregor |
Egregor can inject its payload into iexplore.exe process.(Citation: Cyble Egregor Oct 2020) |
| HTRAN |
HTRAN can inject into into running processes.(Citation: NCSC Joint Report Public Tools) |
| ANDROMEDA |
ANDROMEDA can inject into the `wuauclt.exe` process to perform C2 actions.(Citation: Mandiant Suspected Turla Campaign February 2023) |
| JPIN |
JPIN can inject content into lsass.exe to load a module.(Citation: Microsoft PLATINUM April 2016) |
| metaMain |
metaMain can inject the loader file, Speech02.db, into a process.(Citation: SentinelLabs Metador Sept 2022) |
| Mis-Type |
Mis-Type has been injected directly into a running process, including `explorer.exe`.(Citation: Cylance Dust Storm) |
| ShadowPad |
ShadowPad has injected an install module into a newly created process.(Citation: Kaspersky ShadowPad Aug 2017) |
| QakBot |
QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022) |
| BBK |
BBK has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019) |
| Waterbear |
Waterbear can inject decrypted shellcode into the LanmanServer service.(Citation: Trend Micro Waterbear December 2019) |
| Lizar |
Lizar can migrate the loader into another process.(Citation: BiZone Lizar May 2021) |
| WarzoneRAT |
WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation.(Citation: Check Point Warzone Feb 2020) |
| SLOTHFULMEDIA |
SLOTHFULMEDIA can inject into running processes on a compromised host.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| Turla |
Turla has also used PowerSploit's |
| Operation Wocao |
Operation Wocao has injected code into a selected process, which in turn launches a command as a child process of the original.(Citation: FoxIT Wocao December 2019) |
| TA2541 |
TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021) |
| APT38 |
APT38 has injected malicious payloads into the `explorer.exe` process.(Citation: 1 - appv) |
| Honeybee |
Honeybee uses a batch file to load a DLL into the svchost.exe process.(Citation: McAfee Honeybee) |
| BlackByte |
BlackByte has injected Cobalt Strike into `wuauclt.exe` during intrusions.(Citation: Picus BlackByte 2022) BlackByte has injected ransomware into `svchost.exe` before encryption.(Citation: Symantec BlackByte 2022) |
| Silence |
Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.(Citation: Group IB Silence Sept 2018) |
| Wizard Spider |
Wizard Spider has used process injection to execute payloads to escalate privileges.(Citation: Mandiant FIN12 Oct 2021) |
| APT32 |
APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.(Citation: Cybereason Cobalt Kitty 2017) |
| APT37 |
APT37 injects its malware variant, ROKRAT, into the cmd.exe process.(Citation: Talos Group123) |
| Kimsuky |
Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.(Citation: Securelist Kimsuky Sept 2013) |
| Sharpshooter |
Sharpshooter has leveraged embedded shellcode to inject a downloader into the memory of Word.(Citation: McAfee Sharpshooter December 2018) |
| Velvet Ant |
Velvet Ant initial execution included launching multiple `svchost` processes and injecting code into them.(Citation: Sygnia VelvetAnt 2024A) |
| APT5 |
APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.(Citation: Mandiant Pulse Secure Update May 2021) |
| Cobalt Group |
Cobalt Group has injected code into trusted processes.(Citation: Group IB Cobalt Aug 2017) |
| APT41 |
APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.(Citation: FireEye APT41 Aug 2019) |
| PLATINUM |
PLATINUM has used various methods of process injection including hot patching.(Citation: Microsoft PLATINUM April 2016) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Privileged Account Management |
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures: Account Permissions and Roles: - Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions. Credential Security: - Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO). Multi-Factor Authentication (MFA): - Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA. Privileged Access Management (PAM): - Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access. Auditing and Monitoring: - Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage. Just-In-Time Access: - Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions. *Tools for Implementation* Privileged Access Management (PAM): - CyberArk, BeyondTrust, Thycotic, HashiCorp Vault. Credential Management: - Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass. Multi-Factor Authentication: - Duo Security, Okta, Microsoft Azure MFA, Google Authenticator. Linux Privilege Management: - sudo configuration, SELinux, AppArmor. Just-In-Time Access: - Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy. |
| Behavior Prevention on Endpoint |
Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process. |
Обнаружение
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits)
Monitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017)
Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.
Ссылки
- Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
- Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
- stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.
- Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- L. O'Donnell. (2019, March 3). RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope. Retrieved September 26, 2022.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
- Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
- Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
- Microsoft Security Experts. (2022, August 24). Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks. Retrieved March 24, 2025.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
- Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
- Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
- Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.
- Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
- Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
- Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
- Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
- Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
- Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022.
- GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.
- Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
- Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
- Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
- Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.
- Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
- Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
- Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
- SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
- Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
- Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
- Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
- Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
- Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
- Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
- Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.