Abuse Elevation Control Mechanism: Запрос пароля суперпользователя для повышения привилегий
Other sub-techniques of Abuse Elevation Control Mechanism (4)
Adversaries may leverage the AuthorizationExecuteWithPrivileges
API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.
Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.
Adversaries may abuse AuthorizationExecuteWithPrivileges
to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)
Примеры процедур |
|
Название | Описание |
---|---|
OSX/Shlayer |
OSX/Shlayer can escalate privileges to root by asking the user for credentials.(Citation: Carbon Black Shlayer Feb 2019) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Обнаружение
Consider monitoring for /usr/libexec/security_authtrampoline
executions which may indicate that AuthorizationExecuteWithPrivileges
is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges
is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.
Ссылки
- Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.
- Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019.
- Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
- Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.