Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Выполнение через подписанные бинарные файлы
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Выполнение через подписанные б...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Выполнение через подписанные бинарные файлы

ID Name
.001 CHM-файл
.002 Панель управления
.003 Установщик профилей диспетчера подключений (CMSTP)
.004 Утилита InstallUtil
.005 Утилита mshta
.007 Утилита msiexec
.008 Утилита odbcconf
.009 Утилиты Regsvcs и Regasm
.010 Утилита Regsvr32
.011 Rundll32
.012 Verclsid
.013 Mavinject
.014 MMC
.015 Electron Applications

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

ID: T1218
Суб-техники:  .001 .002 .003 .004 .005 .007 .008 .009 .010 .011 .012 .013 .014 .015
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Creation, Module: Module Load, Network Traffic: Network Connection Creation, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Modification
Версия: 3.1
Дата создания: 18 Apr 2018
Последнее изменение: 01 Mar 2024

Примеры процедур
Название Описание
Lazarus Group

Lazarus Group lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Volt Typhoon

Volt Typhoon has used native tools and processes including living off the land binaries or “LOLBins" to maintain and expand access to the victim networks.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

Контрмеры
Контрмера Описание
Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.
Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Обнаружение

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

Ссылки

  1. Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022.
  2. Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.
  3. GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.
  4. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  5. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  6. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.