<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1480

          術語表: /attack/glossary

          執行Guardrails

          執行Guardrail會根據目標提供的特定于對手的環境特定條件來限制執行或操作。

          Guardrail確保僅對預定目標執行有效載荷,并減少敵方戰役造成的附帶損害。對手可以提供的有關用作Guardrail的目標系統或環境的值可能包括特定的網絡共享名稱,附加的物理設備,文件,已加入的Active Directory(AD)域以及本地/外部IP地址。

          環境密鑰是一種類型的Guardrail,包括用于從給定計算環境中的特定類型的值派生加密/解密密鑰的加密技術。值可以從特定于目標的元素派生,并用于為加密的有效負載生成解密密鑰。特定于目標的值可以從特定的網絡共享,物理設備,軟件/軟件版本,文件,已加入的AD域,系統時間以及本地/外部IP地址中得出。通過從特定于目標的環境值生成解密密鑰,環境密鑰可以使沙箱檢測,反病毒檢測,信息眾包和逆向工程變得困難。這些困難可能會減慢事件響應過程的速度,并幫助對手隱藏其戰術,技術和程序(TTP)。

          類似于混淆文件或信息(T1027),對手可能會使用防Guardrail和環境密鑰來幫助保護其TTP并逃避檢測。例如,環境密鑰可用于將加密的有效負載傳遞給目標,該目標將在執行之前使用特定于目標的值來解密有效負載。通過利用特定于目標的值解密有效載荷,對手可以避免將解密密鑰與有效載荷一起打包或通過潛在的受監視網絡連接發送。根據收集目標特定值的技術,對加密有效負載進行反向工程可能會異常困難。通常,Guardrail可用于防止在不希望受到損害或在其中運行的環境中暴露功能。Guardrail的使用不同于典型的虛擬化/沙盒逃避(T1497),在后者中可以做出不進一步參與的決定,因為對手指定的價值條件是針對特定目標的,而不是使其可能出現在任何環境中。

          Execution Guardrails

          Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target.

          Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

          Environmental keying is one type of guardrail that includes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.[Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

          Similar to Obfuscated Files or Information(T1027), adversaries may use guardrails and environmental keying to help protect their TTPs and evade detection. For example, environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. In general, guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical[Virtualization/Sandbox Evasion(T1497) where a decision can be made not to further engage because the value conditions specified by the adversary are meant to be target specific and not such that they could occur in any environment.

          標簽

          ID編號: T1480

          策略: 繞過防御

          平臺: Linux,macOS,Windows

          所需權限: user

          數據源: 過程監控

          繞過防御: 防病毒,主機取證分析,基于簽名的檢測,靜態文件分析

          程序示例

          名稱 描述
          APT33(G0064) APT33(G0064)已使用其惡意軟件中的殺死日期來保護執行。
          APT33(G0064) 在有效載荷傳遞中利用環境鍵已觀察到方程式(G0020)
          Name Description
          APT33(G0064) APT33(G0064) has used kill dates in their malware to guardrail execution.
          Equation(G0020) Equation(G0020) has been observed utilizing environmental keying in payload delivery.

          緩解措施

          減輕 描述
          不要減緩(M1055) 執行Guardrails可能不應該通過預防性控制來緩解,因為它可以防止意外目標遭到破壞。如果有針對性,則應著重于防止對手工具在活動鏈中較早地運行,并在識別出后續惡意行為(如果受到威脅)時將其重點關注
          Mitigation Description
          Do Not Mitigate(M1055) Execution Guardrails(T1480) likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

          檢測

          根據實現方式,檢測環境鍵控動作可能很困難。監視生成的可疑進程,這些進程收集各種系統信息或執行其他形式的披露(尤其是在很短的時間內),可能有助于檢測。

          Detecting the action of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery(TA0007), especially in a short period of time, may aid in detection.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看