Hijack Execution Flow: Недостатки разрешений для файлов служб
Other sub-techniques of Hijack Execution Flow (12)
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
Примеры процедур |
|
| Название | Описание |
|---|---|
| BlackEnergy |
One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.(Citation: F-Secure BlackEnergy 2014) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| User Account Control |
Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access. |
Обнаружение
Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
Ссылки
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
Связанные риски
| Риск | Связи | |
|---|---|---|
|
Обход систем защиты из-за
возможности подмены файла службы Windows в ОС Windows
Повышение привилегий
Целостность
|
|
|
|
Закрепление злоумышленника в ОС из-за
возможности подмены файла службы Windows в ОС Windows
Повышение привилегий
НСД
|
|
|
|
Повышение привилегий в ОС из-за
возможности подмены файла службы Windows в ОС Windows
Повышение привилегий
Целостность
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.