Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Скрытие артефактов

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

ID: T1564
Суб-техники:  .001 .002 .003 .004 .005 .006 .007 .008 .009 .010
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Office 365, Windows
Источники данных: Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Metadata, File: File Modification, Firmware: Firmware Modification, Process: OS API Execution, Process: Process Creation, Script: Script Execution, Service: Service Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Версия: 1.1
Дата создания: 26 Feb 2020
Последнее изменение: 25 Mar 2022

Примеры процедур

Название Описание
OSX/Shlayer

OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" or mktemp -t Installer.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)(Citation: Shlayer jamf gatekeeper bypass 2021)

Bundlore

Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.(Citation: 20 macOS Common Tools and Techniques)

WarzoneRAT

WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it's attempts to elevate privileges through `IFileOperation`.(Citation: Check Point Warzone Feb 2020)

Tarrask

Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (`SD`) registry value.(Citation: Tarrask scheduled task)

Обнаружение

Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.