Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Эксплуатация уязвимостей для предотвращения обнаружения

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)

ID: T1211
Тактика(-и): Defense Evasion
Платформы: IaaS, Linux, macOS, SaaS, Windows
Источники данных: Application Log: Application Log Content, Process: Process Creation
Версия: 1.5
Дата создания: 18 Apr 2018
Последнее изменение: 15 Apr 2025

Примеры процедур

Название Описание
Velvet Ant

Velvet Ant exploited CVE-2024-20399 in Cisco Switches to which the threat actor was already able to authenticate in order to escape the NX-OS command line interface and gain access to the underlying operating system for arbitrary command execution.(Citation: Sygnia VelvetAnt 2024B)

APT28

APT28 has used CVE-2015-4902 to bypass security features.(Citation: Bitdefender APT28 Dec 2015)(Citation: Microsoft SIR Vol 19)

Контрмеры

Контрмера Описание
Exploit Protection

Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software. Operating System Exploit Protections: - Use Case: Enable built-in exploit protection features provided by modern operating systems, such as Microsoft's Exploit Protection, which includes techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG). - Implementation: Enforce DEP for all programs and enable ASLR to randomize memory addresses used by system and application processes. Windows: Configure Exploit Protection through the Windows Security app or deploy settings via Group Policy. `ExploitProtectionExportSettings.exe -path "exploit_settings.xml"` Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits. Third-Party Endpoint Security: - Use Case: Use endpoint protection tools with built-in exploit protection, such as enhanced memory protection, behavior monitoring, and real-time exploit detection. - Implementation: Deploy tools to detect and block exploitation attempts targeting unpatched software. Virtual Patching: - Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied. - Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications. Hardening Application Configurations: - Use Case: Disable risky application features that can be exploited, such as macros in Microsoft Office or JScript in Internet Explorer. - Implementation: Configure Microsoft Office Group Policies to disable execution of macros in downloaded files.

Exploitation for Defense Evasion Mitigation

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape) Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.

Update Software

Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures: Regular Operating System Updates - Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows. - Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution. Application Patching - Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance. - Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches. Firmware Updates - Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption. - Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic. Emergency Patch Deployment - Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours. - Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities. Centralized Patch Management - Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated. - Use Case: Streamlines patching processes and ensures no critical systems are missed. *Tools for Implementation* Patch Management Tools: - WSUS: Manage and deploy Microsoft updates across the organization. - ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps. - Ansible: Automate updates across multiple platforms, including Linux and Windows. Vulnerability Scanning Tools: - OpenVAS: Open-source vulnerability scanning to identify missing patches.

Threat Intelligence Program

A Threat Intelligence Program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. The program supports decision-making processes, prioritizes defenses, and improves incident response by delivering actionable intelligence tailored to the organization's risk profile and operational environment. This mitigation can be implemented through the following measures: Establish a Threat Intelligence Team: - Form a dedicated team or assign responsibility to existing security personnel to collect, analyze, and act on threat intelligence. Define Intelligence Requirements: - Identify the organization’s critical assets and focus intelligence gathering efforts on threats targeting these assets. Leverage Internal and External Data Sources: - Collect intelligence from internal sources such as logs, incidents, and alerts. Subscribe to external threat intelligence feeds, participate in ISACs, and monitor open-source intelligence (OSINT). Implement Tools for Automation: - Use threat intelligence platforms (TIPs) to automate the collection, enrichment, and dissemination of threat data. - Integrate threat intelligence with SIEMs to correlate IOCs with internal events. Analyze and Act on Intelligence: - Use frameworks like MITRE ATT&CK to map intelligence to adversary TTPs. - Prioritize defensive measures, such as patching vulnerabilities or deploying IOCs, based on analyzed threats. Share and Collaborate: - Share intelligence with industry peers through ISACs or threat-sharing platforms to enhance collective defense. Evaluate and Update the Program: - Regularly assess the effectiveness of the threat intelligence program. - Update intelligence priorities and capabilities as new threats emerge. *Tools for Implementation* Threat Intelligence Platforms (TIPs): - OpenCTI: An open-source platform for structuring and sharing threat intelligence. - MISP: A threat intelligence sharing platform for sharing structured threat data. Threat Intelligence Feeds: - Open Threat Exchange (OTX): Provides free access to a large repository of threat intelligence. - CIRCL OSINT Feed: A free source for IOCs and threat information. Automation and Enrichment Tools: - TheHive: An open-source incident response platform with threat intelligence integration. - Yeti: A platform for managing and structuring knowledge about threats. Analysis Frameworks: - MITRE ATT&CK Navigator: A tool for mapping threat intelligence to adversary behaviors. - Cuckoo Sandbox: Analyzes malware to extract behavioral indicators. Community and Collaboration Tools: - ISAC Memberships: Join industry-specific ISACs for intelligence sharing. - Slack/Discord Channels: Participate in threat intelligence communities for real-time collaboration.

Application Isolation and Sandboxing

Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact. This mitigation can be implemented through the following measures: Browser Sandboxing: - Use Case: Implement browser sandboxing to isolate untrusted web content, preventing malicious web pages or scripts from accessing sensitive system files. - Implementation: Use tools like Google Chrome's built-in sandbox or deploy solutions like Bromium to secure user web interactions. Application Virtualization: - Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system. - Implementation: Use application virtualization platforms to run applications in isolated environments. Email Attachment Sandboxing: - Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users. - Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments. Endpoint Sandboxing: - Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity. - Implementation: Use endpoint protection tools for sandboxing at the endpoint level.

Обнаружение

Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.