<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1505

          術語表: /attack/glossary

          server應用組件

          攻擊者可能濫用服務器應用程序的合法可擴展開發功能來建立對系統的持久訪問。企業服務器應用程序可能包含允許應用程序開發人員編寫和安裝軟件以擴展主應用程序功能的功能。攻擊者可能會安裝惡意軟件組件,以惡意擴展和濫用服務器應用程序。

          Server Software Component

          Adversaries may abuse legitimate extensible development features of server applications to establish persistent access to systems. Enterprise server applications may include features that allow application developers to write and install software to extend the functionality of the main application. Adversaries may install malicious software components to maliciously extend and abuse server applications.

          傳輸代理

          Microsoft Exchange傳輸代理可以對通過傳輸管道傳遞的電子郵件進行操作,以執行各種任務,例如過濾垃圾郵件,過濾惡意附件,日記或在所有外發電子郵件的末尾添加公司簽名。[1] [2]傳輸代理可以由應用程序開發人員編寫,然后編譯為.NET程序集,然后向Exchange服務器注冊。運輸代理將在電子郵件處理的指定階段被調用,并執行開發人員定義的任務。

          對手可能注冊了惡意的傳輸代理,以在Exchange Server中提供一種持久性機制,該機制可以由對手指定的電子郵件事件觸發。[2]盡管可以為通過Exchange傳輸管道的所有電子郵件調用惡意的傳輸代理,但可以將代理配置為僅執行特定任務以響應對手定義的標準。例如,如果收件人電子郵件地址與對手提供的列表中的條目匹配,則運輸代理僅可以執行類似復制運輸中的附件并將其保存以供以后過濾的操作。

          Transport Agent

          Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.[1][2] Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

          Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.[2] Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

          SQL存儲過程

          SQL存儲過程是可以保存和重用的代碼,因此數據庫用戶不會浪費時間重寫頻繁使用的SQL查詢??梢允褂眠^程名稱通過SQL語句或數據庫中定義的事件(例如,當SQL Server應用程序啟動/重新啟動時)通過SQL語句調用存儲過程。攻擊者可能設計出可以在SQL數據庫服務器中提供持久性機制的惡意存儲過程。要通過SQL語法執行操作系統命令,對手可能必須啟用其他功能,例如xp_cmdshellMSSQL Server。

          Microsoft SQL Server可以啟用公共語言運行時(CLR)集成。啟用CLR集成后,應用程序開發人員可以使用任何.NET Framework語言(例如VB .NET,C#等)編寫存儲過程。[6]對手可以制作或修改鏈接到存儲過程的CLR程序集,可以使這些CLR程序集執行任意命令。

          SQL Stored Procedures

          SQL stored procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.[3][4] To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.

          Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).Adversaries may craft or modify CLR assemblies that are linked to stored procedures, these CLR assemblies can be made to execute arbitrary commands.

          標簽

          ID編號: T1505

          策略: 持久性

          平臺: Windows,Linux

          所需權限: 管理員,SYSTEM,root

          數據源: 文件監視,應用程序日志

          程序示例

          名稱 描述
          LightNeuron(S0395) LightNeuron (S0395) 使用惡意的Microsoft Exchange傳輸代理進行持久化。
          Name Description
          LightNeuron(S0395) LightNeuron (S0395) uses a malicious Microsoft Exchange transport agent for persistence.[2]

          緩解措施

          緩解 描述
          審計 (M1047) 定期檢查關鍵服務上的組件,攻擊者可能會針對這些組件提供持久性以驗證系統的完整性,并確定是否進行了意外更改。
          代碼簽名 (M1045) 確保所有應用程序組件二進制文件均由正確的應用程序開發人員簽名。
          特權賬戶管理 (M1026) 不允許將有權在這些服務上添加組件軟件的管理員帳戶用于日常操作,這些操作可能會使它們暴露于非特權系統上的潛在對手。
          Mitigation Description
          Audit (M1047) Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
          Code Signing (M1045) Ensure all application component binaries are signed by the correct application developers.
          Privileged Account Management(M1026) Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

          檢測

          考慮監視應用程序日志中的異常行為,這些異常行為可能指示可疑應用程序軟件組件的安裝??紤]監視與新應用程序軟件組件的安裝相關的文件位置,例如應用程序通常從中加載此類可擴展組件的路徑。在MSSQL Server上,請考慮監視xp_cmdshell使用情況。

          Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. On MSSQL Server, consider monitoring for xp_cmdshell usage

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看