Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подключение дополнительных устройств

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)

ID: T1200
Тактика(-и): Initial Access
Платформы: Linux, macOS, Windows
Источники данных: Application Log: Application Log Content, Drive: Drive Creation, Network Traffic: Network Traffic Flow
Версия: 1.6
Дата создания: 18 Apr 2018
Последнее изменение: 30 Mar 2023

Примеры процедур

Название Описание
DarkVishnya

DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.(Citation: Securelist DarkVishnya Dec 2018)

Контрмеры

Контрмера Описание
Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Hardware Additions Mitigation

Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems. Block unknown devices and accessories by endpoint security configuration and monitoring agent.

Limit Hardware Installation

Block users or groups from installing or using unapproved hardware on systems, including USB devices.

Обнаружение

Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.