<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1501

          術語表: /attack/glossary

          系統服務

          系統服務可用于在Linux系統上建立持久性。systemd服務管理器通常用于管理后臺守護程序進程(也稱為服務)和其他系統資源。 Systemd是許多Linux發行版中的默認初始化(init)系統,從Debian 8,Ubuntu 15.04,CentOS 7,RHEL 7,Fedora 15開始,它取代了包括SysVinit和Upstart的舊式初始化系統,同時保持了向后兼容。前述的初始化系統。

          Systemd利用稱為服務單元的配置文件來控制服務的啟動方式和條件。默認情況下,這些單位文件存儲在/etc/systemd/system/usr/lib/systemd/system目錄中,文件擴展名為.service。每個服務單元文件可能包含許多可執行系統命令的指令。

          • ExecStart,ExecStartPre和ExecStartPost指令涵蓋了當通過“ systemctl”手動啟動服務時或在將服務設置為自動啟動時在系統啟動時執行命令的情況。
          • ExecReload指令涵蓋了服務重新啟動的時間。
          • ExecStop和ExecStopPost指令涵蓋何時停止服務或由“ systemctl”手動停止服務。

          攻擊者已使用systemd功能通過創建和/或修改服務單元文件來建立對受害系統的持久訪問,這些服務單元文件使systemd以周期性間隔(例如系統啟動)執行惡意命令。

          對手通常需要root特權才能在/目錄中創建/修改服務單元文件,/etc/systemd/system/usr/lib/systemd/system低特權用戶可以在目錄中創建/修改服務單元文件,~/.config/systemd/user/以實現用戶級的持久性。

          Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.

          Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands.

          • ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
          • ExecReload directive covers when a service restarts.
          • ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.

          Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.

          While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can cre

          標簽

          ID編號: T1501

          策略: 持久性

          臺: Linux

          所需權限: root,user

          數據源: 進程命令行參數,進程監視,文件監視

          程序示例

          名稱 描述
          Exaramel for Linux(S0401) Exaramel for Linux(S0401)在systemd下有一個硬編碼的位置,如果它以root身份運行,則可用來實現持久性。
          Fysbis(S0410) Fysbis(S0410)使用系統服務建立了持久性
          Pupy(S0192) Pupy(S0192)可用于使用systemd服務建立持久性。
          Name Description
          Exaramel for Linux(S0401) Exaramel for Linux(S0401) has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.
          Fysbis(S0410) Fysbis(S0410)) has established persistence using a systemd service.
          Pupy(S0192) Pupy(S0192) can be used to establish persistence using a systemd service.

          緩解措施

          緩解 描述
          限制軟件安裝 (M1033) 僅將軟件安裝限制在受信任的存儲庫中,并注意孤立的軟件包。
          特權賬戶管理(M1026) systemd服務單元文件的創建和修改通常保留給管理員,例如Linux超級用戶和具有超級用戶特權的其他用戶。
          限制文件和目錄權限(M1022) 將對systemd單元文件的讀/寫訪問限制為僅選擇有合法需要管理系統服務的特權用戶。
          用戶帳號管理(M1018) 將用戶對系統實用程序(例如“ systemctl”)的訪問權限限制為僅具有合法需要的用戶。
          Mitigation Description
          Limit Software Installation (M1033) Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
          Privileged Account Management (M1026) The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.
          Restrict File and Directory Permissions(M1022) Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.
          User Account Management(M1018) Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.

          檢測

          Systemd服務單元文件可以通過審計文件創建和修改事件中被檢測到/etc/systemd/system,/usr/lib/systemd/system/和目錄,以及相關的符號鏈接。以這種方式生成的可疑進程或腳本將具有“ systemd”的父進程,其父進程ID為1,通常將以“ root”用戶身份執行。/home//.config/systemd/user/

          還可以通過將結果與可信系統基準進行比較來識別可疑的系統服務??梢酝ㄟ^使用systemctl實用工具檢查系統范圍的服務來檢測惡意的系統服務:systemctl list-units -–type=service –all。分析.service文件系統上存在的文件內容,并確保它們引用合法的預期可執行文件。

          審核'systemctl'實用程序以及諸如之類的相關實用程序的執行和命令行參數/usr/sbin/service可能會揭示惡意的systemd服務執行。

          Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

          Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.

          Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看