Скрытие артефактов
Sub-techniques (12)
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
Примеры процедур |
|
Название | Описание |
---|---|
OSX/Shlayer |
OSX/Shlayer has used the |
Bundlore |
Bundlore uses the |
WarzoneRAT |
WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through `IFileOperation`.(Citation: Check Point Warzone Feb 2020) |
DarkTortilla |
DarkTortilla has used `%HiddenReg%` and `%HiddenKey%` as part of its persistence via the Windows registry.(Citation: Secureworks DarkTortilla Aug 2022) |
Tarrask |
Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (`SD`) registry value.(Citation: Tarrask scheduled task) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Limit Software Installation |
Block users or groups from installing unapproved software. |
Application Developer Guidance |
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. |
Antivirus/Antimalware |
Use signatures or heuristics to detect malicious software. |
Обнаружение
Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.
Ссылки
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.
- Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
- Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
- Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.
- Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.