MITRE ATT&CK - Техника DLL службы терминалов

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Server Software Component: DLL службы терминалов

Other sub-techniques of Server Software Component (5)

ID	Название
.001	Хранимые процедуры SQL
.002	Агенты транспорта Microsoft Exchange
.003	Веб-шелл
.004	Компоненты IIS
.005	DLL службы терминалов

Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services) Windows Services that are run as a "generic" process (ex: svchost.exe) load the service's DLL file, the location of which is stored in a Registry entry named ServiceDll.(Citation: Microsoft System Services Fundamentals) The termsrv.dll file, typically stored in `%SystemRoot%\System32\`, is the default ServiceDll value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`. Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal termsrv.dll functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent Remote Desktop Protocol sessions by either patching the termsrv.dll file or modifying the ServiceDll value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.

ID: T1505.005

Относится к технике: T1505

Тактика(-и): Persistence

Платформы: Windows

Источники данных: Command: Command Execution, File: File Modification, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification

Версия: 1.0

Дата создания: 28 Mar 2022

Последнее изменение: 18 Apr 2022

Контрмера	Описание
Контрмеры
Audit	Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Restrict Registry Permissions	Restrict the ability to modify certain hives or keys in the Windows Registry.

Обнаружение

Monitor for changes to Registry keys associated with ServiceDll and other subkey values under HKLM\System\CurrentControlSet\services\TermService\Parameters\. Monitor unexpected changes and/or interactions with termsrv.dll, which is typically stored in %SystemRoot%\System32\. Monitor commands as well as processes and arguments for potential adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll. Monitor module loads by the Terminal Services process (ex: svchost.exe -k termsvcs) for unexpected DLLs (the default is %SystemRoot%\System32\termsrv.dll, though an adversary could also use Match Legitimate Name or Location on a malicious payload).

Ссылки

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.