<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1500

          術語表: /attack/glossary

          傳遞后編譯

          攻擊者可能試圖通過將文件作為未編譯的代碼傳遞給受害者,從而使有效載荷難以發現和分析。與模糊文件或信息(T1027)相似,基于文本的源代碼文件可能會破壞針對可執行文件/二進制文件的保護措施的分析和審查。這些有效負載將需要在執行之前進行編譯;通常通過本機實用程序,例如csc.exe或GCC/MinGW。

          源代碼有效載荷也可以被加密,編碼和/或嵌入在其他文件中,例如作為魚叉式附件(T1193)交付的文件。有效載荷也可能以無法識別的格式傳遞給本機OS(例如,macOS/Linux上的EXE),本質上是良性的,然后再通過捆綁的編譯器和執行框架(重新)編譯為適當的可執行二進制文件。

          Compile After Delivery

          Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information(1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.

          Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Spearphishing Attachment(T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.

          程序示例

          名稱 描述
          Cardinal RAT(S0348) Cardinal RAT(S0348) 及其看門狗組件作為嵌入式未編譯的源代碼交付給受害者后,便會進行編譯和執行。
          MuddyWater(G0069) MuddyWater(G0069) 已使用.NET csc.exe工具從下載的C#代碼編譯可執行文件。
          Name Description
          Cardinal RAT(S0348) Cardinal RAT(S0348) and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.
          MuddyWater(G0069) MuddyWater(G0069) has used the .NET csc.exe tool to compile executables from downloaded C# code.

          緩解措施

          這種攻擊技術無法通過預防性控制輕松緩解,因為它基于濫用系統功能。

          This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

          檢測

          檢測常見編譯器(例如csc.exe和GCC/MinGW)的執行文件路徑和命令行參數,并與其他可疑行為相關聯,以減少來自正常用戶和管理員行為的誤報。有效載荷的匯編還可生成文件創建和/或文件寫入事件。尋找非本機二進制格式以及跨平臺的編譯器和執行框架(如Mono),并確定它們在系統上是否具有合法用途。通常,這些僅應在特定和有限的情況下使用,例如用于軟件開發。

          Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看