<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1527

          術語表: /attack/glossary

          應用程序訪問令牌

          攻擊者可以使用應用程序訪問令牌繞過典型的身份驗證過程,并訪問遠程系統上的受限帳戶,信息或服務。這些令牌通常是從用戶那里竊取的,并用來代替登錄憑據。

          應用程序訪問令牌用于代表用戶發出授權的API請求,并且通常用作在基于云的應用程序和軟件即服務(SaaS)中訪問資源的方式。OAuth是一種普遍實施的框架,向用戶發布令牌以訪問系統。這些框架可共同用于驗證用戶并確定允許用戶執行的操作。一旦建立了身份,令牌就可以授權操作,而無需傳遞用戶的實際憑據。因此,令牌的泄露可以通過惡意應用程序使對手獲得對其他站點資源的訪問權限。

          例如,對于基于云的電子郵件服務,一旦將OAuth訪問令牌授予了惡意應用程序,如果授予了啟用后臺訪問的“刷新”令牌,則它有可能獲得對用戶帳戶功能的長期訪問。借助OAuth訪問令牌,對手可以使用用戶授予的REST API來執行諸如電子郵件搜索和聯系人枚舉之類的功能

          受損的訪問令牌可以用作危害其他服務的初始步驟。例如,如果令牌授予對受害者的主電子郵件的訪問權限,則對手可能會通過觸發被忘記的密碼例程,將訪問權限擴展到目標用戶訂閱的所有其他服務。通過令牌進行的直接API訪問會否定第二個身份驗證因素的有效性,并且可能不受諸如更改密碼之類的直觀對策的影響。由于訪問仍然可以與合法的工作流程保持一致,因此即使從服務提供商端,也很難檢測到通過API通道進行的訪問濫用。

          Application Access Token

          Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.

          Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS). OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.

          For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.

          Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

          標簽

          ID編號: T1527

          策略: 防御繞過,橫向移動

          平臺: SaaS,Office 365

          所需權限: user

          數據源: OAuth審核日志,Office 365帳戶日志

          繞過防御: 多因素身份驗證,登錄憑據

          程序示例

          名稱 描述
          APT28(G0007) APT28(G0007)使用了多個惡意應用程序,這些應用程序濫用OAuth訪問令牌來訪問目標電子郵件帳戶,包括Gmail和Yahoo Mail。
          Name Description
          APT28 (G0007) APT28 (G0007) has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.

          緩解措施

          減輕 描述
          審計(M1047) 管理員可以設置各種日志,并利用審核工具來監視由于OAuth 2.0訪問而可以執行的操作。例如,審核報告使管理員能夠識別特權升級操作,例如角色創建或策略修改,這可以是在初次訪問后執行的操作。
          加密敏感信息M1041) 文件加密應該在包含敏感信息的電子郵件通信中強制實施,這些信息可以通過訪問電子郵件服務獲得。
          限制基于Web的內容(M1021) 更新公司政策,以限制將哪些類型的第三方應用程序添加到與公司的信息,帳戶或網絡鏈接的任何在線服務或工具(例如:Google,Microsoft,Dropbox,Basecamp,GitHub)。但是,與其提供高級指導,不如說是非常具體的-包括預先批準的應用程序列表,并拒絕列表中未列出的所有其他應用程序。管理員還可以通過諸如Azure門戶之類的管理門戶阻止最終用戶同意,從而禁止用戶通過OAuth授權第三方應用并強制執行管理同意。
          Mitigation Description
          Audit (M1047) Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.
          Encrypt Sensitive Information(M1041) File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
          Restrict Web-Based Content (M1021) Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.

          檢測

          監視訪問令牌活動,以了解異常使用情況以及授予異?;蚩梢蓱贸绦虻臋嘞?。管理員可以設置各種日志,并利用審核工具來監視由于OAuth 2.0訪問而可以執行的操作。例如,審核報告使管理員能夠識別特權升級操作,例如角色創建或策略修改,這可以是在初次訪問后執行的操作。

          Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications. Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看