<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1502

          術語表: /attack/glossary

          PPID欺騙

          對手可能會欺騙新進程的父進程標識符(PPID),以逃避進程監視防御或提升特權。除非明確指定,否則通常直接從其父進程或調用進程中產生新進程。顯式分配新進程的PPID的一種方法是通過CreateProcessAPI調用,該調用支持定義要使用的PPID的參數。Windows功能(例如,用戶帳戶控制(UAC))使用此功能來在系統(通常是通過svchost.execonsent.exe)而不是當前用戶上下文生成請求的提升進程后正確設置PPID 。

          對手可能濫用這些機制來逃避防御,如阻塞進程直接從Office文檔,并分析產卵針對不同尋常的/潛在的惡意父子進程的關系,如欺騙的PPID的PowerShell(T1086)/Rundll32(T1085)是explorer.exe,而不是交付Office文檔作為魚叉附件的(T1193)一部分??梢酝ㄟ^惡意Office文檔中的VBA腳本(T1064)或可以通過API(T1106)執行S執行的(T1106)任何代碼來執行此欺騙。

          明確分配PPID還可以啟用特權升級(TA0004)(對父進程具有適當的訪問權限)。例如,特權用戶上下文中的對手(即管理員)可以產生一個新進程,并將父進程分配為以SYSTEM(例如)身份運行的進程lsass.exe,從而通過繼承的訪問令牌提升新進程。

          Parent PID Spoofing

          Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.[1] This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.

          Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.This spoofing could be executed via VBA Scripting within a malicious Office document or any code that can perform Execution through API.

          Explicitly assigning the PPID may also enable Privilege Escalation (given appropriate access rights to the parent process). For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.

          標簽

          ID編號: T1502

          策略: 防御逃避,特權升級

          平臺: Windows

          所需權限: user,administrator

          數據源: Windows事件日志,進程監視,API監視

          繞過防御: 主機取證分析,啟發式檢測

          程序示例

          名稱 描述
          Cobalt Strike(S0154) Cobalt Strike(S0154)可以生成具有備用PPID的進程。
          Name Description
          Cobalt Strike(S0154) Cobalt Strike(S0154) can spawn processes with alternate PPIDs.

          緩解措施

          這種攻擊技術無法通過預防性控制輕松緩解,因為它基于濫用系統功能。

          This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

          檢測

          查找存儲PPID信息的各個字段之間的不一致,例如通過Windows事件跟蹤(ETW)收集的數據中的EventHeader ProcessId,Windows事件日志中的Creator Process ID / Name以及ProcessID和ParentProcessID(它們也是從ETW和其他實用程序,例如任務管理器和流程資源管理器)。ETW提供的EventHeader ProcessId標識實際的父進程。

          監視和分析對CreateProcess/的API調用CreateProcessA,特別是來自用戶/潛在惡意進程的API調用,并使用顯式分配PPID的參數(例如:進程創建標志0x8XXX,指示正在使用擴展的啟動信息創建進程)。CreateProcess/的惡意使用CreateProcessA也可能會通過調用來進行UpdateProcThreadAttribute,這可能是更新流程創建屬性所必需的。這可能會因正常的UAC抬高行為而產生誤報,因此,如果可能,請與系統基準/正常系統活動的理解進行比較。

          Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.

          Monitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看