Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.[1][2][3]
攻撃者は、特定のイベントに応じて実行するシステム機構を使用して、永続性を確立したり、権限を昇格させたりすることがあります。様々なOSが、ログオンなどのイベントや、特定のアプリケーション/バイナリを実行するなどのユーザーアクティビティを監視し、登録するための手段を備えています。クラウド環境は、さまざまな機能やサービスをサポートします。それは、特定のクラウドイベントを監視し、それに応答して実行されることがあります。
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system,
adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.[4][5][6]
攻撃者は、悪意のあるコードを繰り返し実行することで、被害者への持続的なアクセス を維持する手段として、これらのメカニズムを悪用することがあります。攻撃者は、被害者システムにアクセスした後、イベントトリガーが発生するたびに悪意のあるコンテンツを実行するよう、イベントトリガーを作成/変更することがあります。
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution
mechanisms to escalate their privileges.
実行は、SYSTEMやサービスアカウントなど、より高い権限を持つアカウントによって代行されるため、攻撃者はこれらのトリガーによる実行メカニズムを悪用して、特権を昇格させることができるかもしれません。
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0025 | Cloud Service | Cloud Service Modification |
Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events. |
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
| DS0022 | File | File Creation |
Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
| File Metadata |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
||
| File Modification |
Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
||
| DS0011 | Module | Module Load |
Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due
to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making
network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. |
| DS0009 | Process | Process Creation |
Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. |
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor for changes made to windows registry keys and/or values that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
| DS0005 | WMI | WMI Creation |
Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |