Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Компонент серверного ПО

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

ID: T1505
Суб-техники:  .001 .002 .003 .004 .005
Тактика(-и): Persistence
Платформы: Linux, macOS, Network, Windows
Источники данных: Application Log: Application Log Content, File: File Creation, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Версия: 1.4
Дата создания: 28 Jun 2019
Последнее изменение: 19 Oct 2022

Контрмеры

Контрмера Описание
Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Обнаружение

Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)

Связанные риски

Ничего не найдено

Каталоги