Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Нарушение работы средств контроля доверия
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Нарушение работы средств контр...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Нарушение работы средств контроля доверия

ID Name
.001 Обход Gatekeeper
.002 Подпись исполняемого кода
.003 Подмена поставщика доверия и SIP
.004 Установка корневого сертификата
.005 Mark-of-the-Web (MOTW)
.006 Изменение политики подписи кода

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

ID: T1553
Суб-техники:  .001 .002 .003 .004 .005 .006
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Metadata, File: File Modification, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Версия: 1.1
Дата создания: 05 Feb 2020
Последнее изменение: 05 May 2022

Примеры процедур
Название Описание
Axiom

Axiom has used digital certificates to deliver malware.(Citation: Novetta-Axiom)

Контрмеры
Контрмера Описание
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.
Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.
Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

Обнаружение

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017) A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017) Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Ссылки

  1. Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
  2. Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
  3. Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.
  4. Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
  5. Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.
  6. Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.
  7. Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.
  8. Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.
  9. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
  10. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.