侵害破坏
攻击者试图操纵、中断或破坏您的系统和数据。
影响包括攻击者用来通过操纵业务和操作流程来破坏可用性或损害完整性的技术。用于影响的技术可能包括销毁或篡改数据。在某些情况下,业务流程可能看起来不错,但可能已被更改以使对手的目标受益。攻击者可能会使用这些技术来实现其最终目标或为机密性违规提供掩护。
技术: 13
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1531 | 帐户访问权限删除 | 攻击者可能会通过禁止访问合法用户使用的帐户来中断系统和网络资源的可用性。帐户可能会被删除、锁定或操纵(例如:更改凭据)以删除对帐户的访问权限。攻击者还可能随后注销和/或执行系统关机/重新启动以设置恶意更改。 | |
| T1485 | 数据销毁 | 攻击者可能会破坏特定系统上的数据和文件,或者破坏网络上的大量数据和文件,以中断系统、服务和网络资源的可用性。数据销毁可能会通过取证技术通过覆盖本地和远程驱动器上的文件或数据使存储的数据无法恢复。常见的操作系统文件删除命令,例如 和 通常只删除指向文件的指针,而不擦除文件本身的内容,使文件可以通过适当的取证方法恢复。此行为不同于磁盘内容擦除和磁盘结构擦除,因为单个文件被销毁,而不是存储磁盘的某些部分或磁盘的逻辑结构。del``rm |
|
| T1486 | 为影响而加密的数据 | 攻击者可能会加密目标系统上或网络中大量系统上的数据,以中断系统和网络资源的可用性。他们可以通过加密本地和远程驱动器上的文件或数据并拒绝访问解密密钥来尝试使存储的数据无法访问。这样做可能是为了从受害者那里获得金钱赔偿,以换取解密或解密密钥(勒索软件),或者在密钥未保存或传输的情况下使数据永久无法访问。 | |
| T1565 | 数据操作 | 攻击者可能会插入、删除或操纵数据以影响外部结果或隐藏活动,从而威胁数据的完整性。通过操纵数据,攻击者可能会试图影响业务流程、组织理解或决策。 | |
| .001 | 存储数据操作 | 攻击者可能会插入、删除或操作静态数据,以影响外部结果或隐藏活动,从而威胁数据的完整性。通过操纵存储的数据,攻击者可能会试图影响业务流程、组织理解和决策。 | |
| .002 | 传输数据操作 | 攻击者可能会在传输到存储或其他系统的途中更改数据,以操纵外部结果或隐藏活动,从而威胁到数据的完整性。通过操纵传输的数据,攻击者可能会试图影响业务流程、组织理解和决策。 | |
| .003 | 运行时数据操作 | 攻击者可能会修改系统,以便在访问数据并将其显示给最终用户时对其进行操作,从而威胁到数据的完整性。通过操作运行时数据,攻击者可能会尝试影响业务流程、组织理解和决策。 | |
| T1491 | 污损 | 攻击者可能会修改企业网络内部或外部可用的可视内容,从而影响原始内容的完整性。污损的原因包括传递消息、恐吓或声称(可能是虚假的)入侵信用。令人不安或令人反感的图像可能被用作污损的一部分,以引起用户的不适,或迫使遵守随附的消息。 | |
| .001 | 内部污损 | 攻击者可能会破坏组织内部的系统,试图恐吓或误导用户,从而破坏系统的完整性。这可以采取修改内部网站的形式,也可以通过更换桌面墙纸直接修改用户系统。令人不安或令人反感的图像可能被用作内部污损的一部分,以引起用户的不适,或迫使遵守随附的消息。由于内部污损系统会暴露对手的存在,因此它通常发生在其他入侵目标完成之后。 | |
| .002 | 外部污损 | 攻击者可能会破坏组织外部的系统,以试图传递消息、恐吓或以其他方式误导组织或用户。外部污损最终可能导致用户不信任系统并质疑/诋毁系统的完整性。面向外部的网站是污损的常见受害者;经常成为敌对和黑客团体的目标,以推动政治信息或传播宣传。外部污损可用作触发事件的催化剂,或作为对组织或政府所采取行动的响应。同样,网站污损也可以用作未来攻击(如偷渡式入侵)的设置或前兆。 | |
| T1561 | 磁盘擦除 | 攻击者可能会擦除或损坏特定系统上的原始磁盘数据或网络中的大量原始磁盘数据,以中断系统和网络资源的可用性。通过对磁盘的直接写入访问,攻击者可能会尝试覆盖部分磁盘数据。攻击者可能会选择擦除磁盘数据的任意部分和/或擦除磁盘结构,如主引导记录 (MBR)。可以尝试完全擦除所有磁盘扇区。 | |
| .001 | 磁盘内容擦除 | 攻击者可能会擦除特定系统上或网络中大量存储设备的内容,以中断系统和网络资源的可用性。 | |
| .002 | 磁盘结构擦除 | 攻击者可能会损坏或擦除启动系统所需的硬盘驱动器上的磁盘数据结构;针对特定的关键系统或网络中的大量系统,以中断系统和网络资源的可用性。 | |
| T1499 | 终端拒绝服务 | 攻击者可能会执行端点拒绝服务 (DoS) 攻击,以降低或阻止用户提供的服务。可以通过耗尽这些服务托管的系统资源或利用系统造成持续崩溃情况来执行端点 DoS。示例服务包括网站、电子邮件服务、DNS 和基于 Web 的应用程序。据观察,攻击者出于政治目的进行 DoS 攻击并支持其他恶意活动,包括分散注意力、黑客行动主义和勒索。 | |
| .001 | 操作系统耗尽泛滥 | 攻击者可能会针对终端的操作系统 (OS) 发起拒绝服务 (DoS) 攻击。系统的操作系统负责管理有限的资源,并防止整个系统因对其容量的过度需求而不堪重负。这些攻击不需要耗尽系统上的实际资源;攻击可能只是耗尽操作系统自我施加的限制和可用资源。 | |
| .002 | 服务耗尽泛滥 | 攻击者可能会以系统提供的不同网络服务为目标,以执行拒绝服务 (DoS)。攻击者通常以 DNS 和 Web 服务的可用性为目标,但其他攻击者也成为攻击目标。Web服务器软件可以通过多种方式受到攻击,其中一些通常适用,而另一些则特定于用于提供服务的软件。 | |
| .003 | 应用程序耗尽洪水 | 攻击者可能会以应用程序的资源密集型功能为目标,造成拒绝服务 (DoS),从而拒绝这些应用程序的可用性。例如,Web 应用程序中的特定功能可能占用大量资源。重复请求这些功能可能会耗尽系统资源并拒绝对应用程序或服务器本身的访问。 | |
| .004 | 应用程序或系统开发 | 攻击者可能会利用软件漏洞,这些漏洞可能导致应用程序或系统崩溃并拒绝用户的可用性。某些系统可能会在发生崩溃时自动重新启动关键应用程序和服务,但可能会再次利用它们来造成持续拒绝服务 (DoS) 情况。 | |
| T1495 | 固件损坏 | 攻击者可能会覆盖或损坏连接到系统的设备中的系统 BIOS 或其他固件的闪存内容,以使其无法运行或无法启动,从而拒绝使用这些设备和/或系统的可用性。固件是从硬件设备上的非易失性存储器加载和执行的软件,用于初始化和管理设备功能。这些设备可能包括主板、硬盘驱动器或视频卡。 | |
| T1490 | 抑制系统恢复 | 攻击者可能会删除或删除内置数据,并关闭旨在帮助恢复损坏的系统以防止恢复的服务。这可能会拒绝访问可用的备份和恢复选项。 | |
| T1498 | 网络拒绝服务 | 攻击者可能会执行网络拒绝服务 (DoS) 攻击,以降低或阻止用户获得目标资源。可以通过耗尽服务所依赖的网络带宽来执行网络 DoS。示例资源包括特定网站、电子邮件服务、DNS 和基于 Web 的应用程序。据观察,攻击者出于政治目的进行网络 DoS 攻击并支持其他恶意活动,包括分心、黑客行动主义和勒索。 | |
| .001 | 直接网络泛洪 | 攻击者可能会尝试通过直接向目标发送大量网络流量来造成拒绝服务 (DoS)。此 DoS 攻击还可能降低目标系统和网络的可用性和功能。直接网络泛洪是指使用一个或多个系统向目标服务的网络发送大量网络数据包。几乎任何网络协议都可用于泛洪。UDP 或 ICMP 等无状态协议是常用的,但也可以使用 TCP 等有状态协议。 | |
| .002 | 反射放大 | 攻击者可能会尝试通过将大量网络流量反映到目标来造成拒绝服务 (DoS)。这种类型的网络 DoS 利用托管并将响应给定欺骗源 IP 地址的第三方服务器中介。此第三方服务器通常称为反射器。攻击者通过使用受害者的欺骗地址向反射器发送数据包来完成反射攻击。与直接网络泛洪类似,可以使用多个系统进行攻击,或者可以使用僵尸网络。同样,可以使用一个或多个反射器将流量集中在目标上。此网络 DoS 攻击还可能降低目标系统和网络的可用性和功能。 | |
| T1496 | 资源劫持 | 攻击者可能会利用增选系统的资源来解决资源密集型问题,这可能会影响系统和/或托管服务的可用性。 | |
| T1489 | 服务停止 | 攻击者可能会停止或禁用系统上的服务,以使合法用户无法使用这些服务。停止关键服务或流程可能会抑制或停止对事件的响应,或有助于实现对手对环境造成破坏的总体目标。 | |
| T1529 | 系统关机/重启 | 攻击者可能会关闭/重新启动系统,以中断对这些系统的访问或帮助破坏这些系统。操作系统可能包含启动计算机或网络设备关闭/重新启动的命令。在某些情况下,这些命令还可用于通过网络设备 CLI 启动远程计算机或网络设备的关闭/重新启动(例如 )。reload |
The adversary is trying to manipulate, interrupt, or destroy your systems and data.
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
Techniques: 13
| ID | Name | Description | |
|---|---|---|---|
| T1531 | Account Access Removal | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place. | |
| T1485 | Data Destruction | Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. |
|
| T1486 | Data Encrypted for Impact | Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. | |
| T1565 | Data Manipulation | Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. | |
| .001 | Stored Data Manipulation | Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. | |
| .002 | Transmitted Data Manipulation | Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. | |
| .003 | Runtime Data Manipulation | Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. | |
| T1491 | Defacement | Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. | |
| .001 | Internal Defacement | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished. | |
| .002 | External Defacement | An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. | |
| T1561 | Disk Wipe | Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted. | |
| .001 | Disk Content Wipe | Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. | |
| .002 | Disk Structure Wipe | Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. | |
| T1499 | Endpoint Denial of Service | Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. | |
| .001 | OS Exhaustion Flood | Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes. | |
| .002 | Service Exhaustion Flood | Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. | |
| .003 | Application Exhaustion Flood | Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. | |
| .004 | Application or System Exploitation | Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. | |
| T1495 | Firmware Corruption | Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. | |
| T1490 | Inhibit System Recovery | Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options. | |
| T1498 | Network Denial of Service | Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. | |
| .001 | Direct Network Flood | Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. | |
| .002 | Reflection Amplification | Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target. This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network. | |
| T1496 | Resource Hijacking | Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. | |
| T1489 | Service Stop | Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. | |
| T1529 | System Shutdown/Reboot | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload). |