<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1490

          術語表: /attack/glossary

          禁止系統恢復

          攻擊者可能會刪除或刪除內置的操作系統數據,并關閉旨在幫助恢復已損壞系統以防止恢復的服務。操作系統可能包含有助于修復損壞的系統的功能,例如備份目錄,卷影副本和自動修復功能。攻擊者可能會禁用或刪除系統恢復功能,以增強“數據銷毀”和“ 加密影響力”的效果。

          攻擊者已使用許多本地Windows實用程序來禁用或刪除系統恢復功能:

          • vssadmin.exe 可用于刪除系統上的所有卷影副本- vssadmin.exe delete shadows /all /quiet
          • Windows Management Instrumentation (T1047 Windows管理規范)可用于刪除卷影副本-wmic shadowcopy delete
          • wbadmin.exe 可用于刪除Windows備份目錄- wbadmin.exe delete catalog -quiet
          • bcdedit.exe 可通過修改啟動配置數據來禁用Windows自動恢復功能- bcdedit.exe /set bootstatuspolicy ignoreallfailures & bcdedit /set recoveryenabled no

          Inhibit System Recovery

          Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.

          A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

          vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set bootstatuspolicy ignoreallfailures & bcdedit /set recoveryenabled no

          緩解措施

          緩解 描述
          數據備份 考慮實施IT災難恢復計劃,其中包含用于進行可用于還原組織數據的常規數據備份的過程。確保備份存儲在系統之外,并且免受攻擊者可能用來獲取訪問權限并破壞備份以防止恢復的常見方法的攻擊。
          操作系統配置 考慮使用技術控制來防止服務禁用或刪除系統恢復中涉及的文件。
          Mitigation Description
          Data Backup Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
          Operating System Configuration Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.

          檢測

          使用進程檢測來檢測禁止系統恢復的二進制文件的執行和命令行參數,例如vssadmin,wbadmin和bcdedit。Windows事件日志,例如。指示系統目錄已刪除的事件ID 524可能包含與可疑活動相關的條目。

          檢測系統恢復中涉及的服務的狀態。檢測注冊表中與系統恢復功能相關的更改(例如:創建HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage)。

          Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.

          Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看