MITRE ATT&CK - Техника Изменение образа ОС

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Изменение образа ОС

Sub-techniques (2)

ID	Name
.001	Внесение исправлений в образ ОС
.002	Понижение версии образа ОС

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

ID: T1601

Суб-техники: .001 .002

Тактика(-и): Defense Evasion

Платформы: Network

Требуемые разрешения: Administrator

Источники данных: File: File Modification

Версия: 1.0

Дата создания: 19 Oct 2020

Последнее изменение: 22 Oct 2020

Контрмера	Описание
Контрмеры
Multi-factor Authentication	Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
Password Policies	Set and enforce secure password policies for accounts.
Credential Access Protection	Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.
Code Signing	Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
Boot Integrity	Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.
Privileged Account Management	Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Обнаружение

Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file. Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification) Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)

Ссылки

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.