<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1221

          術語表: /attack/glossary

          模板注入

          Microsoft的Open Office XML(OOXML)規范為Office文檔(.docx,xlsx,.pptx)定義了一種基于XML的格式,以替換較舊的二進制格式(.doc,.xls,.ppt)。OOXML文件打包在一起,是由各種XML文件(稱為部分)構成的ZIP歸檔文件,其中包含共同定義文檔呈現方式的屬性。

          零件內的屬性可以引用通過在線URL訪問的共享公共資源。例如,模板屬性引用一個文件,該文件用作預先格式化的文檔藍圖,該文件在加載文檔時獲取。

          攻擊者可能會濫用該技術來最初隱藏要通過文檔執行的惡意代碼即Scripting(T1064))。加載到文檔中的模板引用可以使惡意有效載荷能夠在加載文檔時獲取并執行。這些文檔可以通過其他技術(例如,魚叉式附件(T1193)和/或污染共享內容)(T1080)進行傳遞,并且由于沒有典型的指示符(VBA宏,腳本等),直到獲取了惡意有效載荷之后,才可以避開靜態檢測。在野外已經看到了一些示例,在這些示例中,模板注入被用來加載包含漏洞的惡意代碼。

          此技術還可以通過注入SMB / HTTPS(或其他憑據提示)URL并觸發身份驗證嘗試來啟用強制身份(T1187)驗證。

          Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.

          Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

          Adversaries may abuse this technology to initially conceal malicious code to be executed via documents (i.e. Scripting(T1064). Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Spearphishing Attachment (T1193) and/or Taint Shared Content]T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.

          This technique may also enable Forced Authentication (T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt

          標簽

          ID編號: T1221

          策略:繞過防御

          平臺: Windows

          所需權限: user

          數據源: 防病毒,電子郵件網關,網絡入侵檢測系統,Web日志

          繞過防御: 靜態文件分析

          程序示例

          名稱 描述
          APT28 (G0007) APT28 (G0007) 使用武器化的Microsoft Word文檔濫用遠程模板功能來檢索惡意宏。
          DarkHydrus(G0079) DarkHydrus(G0079)使用開源工具Phishery將惡意的遠程模板URL注入Microsoft Word文檔,然后將其發送給受害者以啟用“ 強制身份驗證”(T1187)。
          Dragonfly 2.0(G0074) Dragonfly 2.0(G0074)已將SMB URL注入惡意的Word魚叉式釣魚附件中,以啟動強制身份驗證(T1187)。
          Tropic Trooper(G0081) Tropic Trooper(G0081)交付了帶有XLSX擴展名的惡意文檔,通常由OpenXML文檔使用,但該文件本身實際上是OLE(XLS)文檔。
          Name Description
          APT28 (G0007) APT28 (G0007) used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro.
          DarkHydrus(G0079) DarkHydrus(G0079)used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication(T1187).
          Dragonfly 2.0(G0074) Dragonfly 2.0(G0074) has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication(T1187).
          Tropic Trooper(G0081) Tropic Trooper(G0081)delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) docu

          緩解措施

          緩解 描述
          防病毒/反惡意軟件 (M1049) 可以采用網絡/主機入侵防御系統,防病毒和引爆室來防止文檔獲取和/或執行惡意有效載荷。
          禁用或刪除功能或程序 (M1042) 考慮禁用Microsoft Office宏/活動內容,以防止執行文檔中的惡意有效內容,盡管此設置可能無法減輕此技術的強制身份驗證(T1187)使用。
          網絡入侵防護 (M1031) 可以采用網絡/主機入侵防御系統,防病毒和引爆室來防止文檔獲取和/或執行惡意有效載荷。
          用戶培訓 (M1017) 培訓用戶識別社交工程技術和電子郵件偽造。
          Mitigation Description
          Antivirus/Antimalware M1049) Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.
          Disable or Remove Feature or Program (M1042) Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents, though this setting may not mitigate the Forced Authentication(T1187) use for this technique.
          Network Intrusion Prevention (M1031) Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.
          User Training (M1017) Train users to identify social engineering techniques and spearphishing emails.

          檢測

          分析進程行為,以確定Office應用程序是否正在執行某些操作,例如打開網絡連接,讀取文件,產生異常的子進程(例如PowerShell (T1086))或s其他可能與入侵后行為相關的可疑操作。

          Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell (T1086)), or other suspicious actions that could relate to post-compromise behavior.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看