Impair Defenses: Атака через понижение версии
Other sub-techniques of Impair Defenses (9)
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.(Citation: Praetorian TLS Downgrade Attack 2014)
Контрмеры |
|
Контрмера | Описание |
---|---|
Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
Обнаружение
Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2
). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.
Monitor for Windows event ID (EID) 400, specifically the EngineVersion
field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)
Ссылки
- Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.
- Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.
- Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.
- Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.
- Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved October 8, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.