持续控制
对手正试图保持他们的立足点。
持续控制包括攻击者用来在重新启动、更改凭据和其他可能切断其访问的中断中保持对系统的访问的技术。用于持久性的技术包括任何访问、操作或配置更改,这些更改允许它们在系统上保持立足点,例如替换或劫持合法代码或添加启动代码。
技术: 19
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1098 | 账户操纵 | 攻击者可能会操纵帐户以保持对受害系统的访问。帐户操作可能包括保留对手对已泄露帐户的访问权限的任何操作,例如修改凭据或权限组。这些操作还可能包括旨在破坏安全策略的帐户活动,例如执行迭代密码更新以绕过密码持续时间策略并保留已泄露凭据的生存期。 | |
| .001 | 其他云凭据 | 攻击者可以将对手控制的凭据添加到云帐户,以保持对环境中受害者帐户和实例的持久访问。 | |
| .002 | 其他电子邮件代理权限 | 攻击者可以授予其他权限级别,以保持对对手控制的电子邮件帐户的持久访问。 | |
| .003 | 其他云角色 | 攻击者可以向对手控制的云帐户添加其他角色或权限,以保持对租户的持久访问。例如,攻击者可能会在基于云的环境中更新 IAM 策略,或在 Office 365 环境中添加新的全局管理员。有了足够的权限,被盗用的帐户可以获得对数据和设置的几乎无限制的访问权限(包括重置其他管理员密码的能力)。 | |
| .004 | SSH 授权密钥 | 攻击者可以修改 SSH 文件以保持受害主机上的持久性。Linux 发行版和 macOS 通常使用基于密钥的身份验证来保护 SSH 会话的身份验证过程,以便进行远程管理。SSH 中的文件指定可用于登录到为其配置文件的用户帐户的 SSH 密钥。此文件通常位于用户的主目录中的 。用户可以编辑系统的SSH配置文件,将指令PubkeyAuthentication和RSAAuthentication修改为值“yes”,以确保启用公钥和RSA身份验证。SSH 配置文件通常位于 .authorized_keys``authorized_keys``<user-home>/.ssh/authorized_keys``/etc/ssh/sshd_config |
|
| .005 | 设备注册 | 攻击者可以将设备注册到对手控制的帐户。设备可以在处理网络身份验证的多重身份验证 (MFA) 系统中注册,也可以在处理设备访问和合规性的设备管理系统中注册。 | |
| T1197 | 位作业 | 攻击者可能会滥用 BITS 作业来持久执行代码并执行各种后台任务。Windows 后台智能传输服务 (BITS) 是通过组件对象模型 (COM) 公开的低带宽异步文件传输机制。BITS 通常由更新程序、信使和其他应用程序使用,这些应用程序更喜欢在后台运行(使用可用的空闲带宽),而不会中断其他网络应用程序。文件传输任务作为 BITS 作业实现,其中包含一个或多个文件操作的队列。 | |
| T1547 | 启动或登录自动启动执行 | 攻击者可以将系统设置配置为在系统启动或登录期间自动执行程序,以保持持久性或在受感染系统上获得更高级别的权限。操作系统可能具有在系统启动或帐户登录时自动运行程序的机制。这些机制可能包括自动执行放置在专门指定的目录中或由存储配置信息的存储库(如 Windows 注册表)引用的程序。攻击者可以通过修改或扩展内核的功能来实现相同的目标。 | |
| .001 | 注册表运行项/启动文件夹 | 攻击者可以通过将程序添加到启动文件夹或使用注册表运行键引用它来实现持久性。将条目添加到注册表或启动文件夹中的“运行键”将导致引用的程序在用户登录时执行。这些程序将在用户的上下文中执行,并将具有帐户的关联权限级别。 | |
| .002 | 身份验证包 | 攻击者可能会滥用身份验证包在系统启动时执行 DLL。Windows 身份验证包 DLL 在系统启动时由本地安全机构 (LSA) 进程加载。它们为操作系统的多个登录进程和多个安全协议提供支持。 | |
| .003 | 时间提供者 | 攻击者可能会滥用时间提供程序在系统启动时执行 DLL。Windows 时间服务 (W32Time) 支持跨域和域内的时间同步。W32time时间提供程序负责从硬件/网络资源中检索时间戳,并将这些值输出到其他网络客户端。 | |
| .004 | Winlogon Helper DLL | 攻击者可能会滥用 Winlogon 的功能在用户登录时执行 DLL 和/或可执行文件。Winlogon.exe是一个Windows组件,负责登录/注销时的操作以及由Ctrl-Alt-Delete触发的安全注意序列(SAS)。中的注册表项,用于管理支持 Winlogon 的其他帮助程序和功能。HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\``HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ |
|
| .005 | 安全支持提供商 | 攻击者可能会滥用安全支持提供程序 (SSP) 在系统启动时执行 DLL。Windows SSP DLL 在系统启动时加载到本地安全机构 (LSA) 进程中。加载到 LSA 后,SSP DLL 可以访问存储在 Windows 中的加密和纯文本密码,例如任何登录用户的域密码或智能卡 PIN。 | |
| .006 | 内核模块和扩展 | 攻击者可能会修改内核以在系统引导时自动执行程序。可加载内核模块 (LKM) 是可以根据需要加载和卸载到内核中的代码片段。它们扩展了内核的功能,而无需重新启动系统。例如,一种类型的模块是设备驱动程序,它允许内核访问连接到系统的硬件。 | |
| .007 | 重新打开的应用程序 | 攻击者可能会修改 plist 文件,以便在用户登录时自动运行应用程序。当用户通过 macOS 图形用户界面 (GUI) 注销或重新启动时,会向用户提供提示,其中包含“重新登录时重新打开窗口”复选框。选中此选项后,当前打开的所有应用程序都将添加到目录中命名的属性列表文件中。此文件中列出的应用程序将在用户下次登录时自动重新打开。com.apple.loginwindow.[UUID].plist``~/Library/Preferences/ByHost |
|
| .008 | LSASS 驱动程序 | 攻击者可能会修改或添加 LSASS 驱动程序,以便在受感染的系统上获得持久性。Windows 安全子系统是一组组件,用于管理和强制实施计算机或域的安全策略。本地安全机构 (LSA) 是负责本地安全策略和用户身份验证的主要组件。LSA 包括与各种其他安全功能关联的多个动态链接库 (DLL),所有这些函数都在 LSA 子系统服务 (LSASS) lsass.exe 进程的上下文中运行。 | |
| .009 | 快捷键修改 | 攻击者可能会创建或修改可在系统引导或用户登录期间执行程序的快捷方式。快捷方式或符号链接用于引用在系统启动过程单击或执行快捷方式时将打开或执行的其他文件或程序。 | |
| .010 | 端口监视器 | 攻击者可以使用端口监视器在系统启动期间运行对手提供的 DLL,以实现持久性或权限提升。可以通过 API 调用设置端口监视器,以设置要在启动时加载的 DLL。此 DLL 可以位于打印后台处理程序服务 spoolsv.exe 中,并由打印后台处理程序服务 spoolsv 在启动时加载。spoolsv.exe 进程也在系统级权限下运行。或者,如果权限允许将任意 DLL 的完全限定路径名写入 。AddMonitor``C:\Windows\System32``HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors |
|
| .012 | 打印处理器 | 攻击者可能会滥用打印处理器在系统启动期间运行恶意 DLL,以实现持久性和/或权限提升。打印处理器是在启动期间由打印后台处理程序服务 spoolsv.exe 加载的 DLL。 | |
| .013 | XDG 自动启动条目 | 攻击者可能会修改 XDG 自动启动条目,以便在系统启动期间执行程序或命令。符合 XDG 标准的 Linux 桌面环境实现了 XDG 自动启动条目的功能。这些条目将允许应用程序在用户登录后启动桌面环境期间自动启动。默认情况下,XDG 自动启动条目存储在 or 目录中,文件扩展名为 .desktop。/etc/xdg/autostart``~/.config/autostart |
|
| .014 | 活动设置 | 攻击者可以通过将注册表项添加到本地计算机的活动安装程序来实现持久性。活动安装程序是一种 Windows 机制,用于在用户登录时执行程序。存储在注册表项中的值将在用户登录到计算机后执行。这些程序将在用户的上下文中执行,并将具有帐户的关联权限级别。 | |
| .015 | 登录项 | 攻击者可能会添加要在用户登录时执行的登录项,以获得持久性或提升权限。登录项是在用户登录时自动启动的应用程序、文档、文件夹或服务器连接。可以通过共享文件列表或服务管理框架添加登录项。可以使用脚本语言(如 AppleScript)设置共享文件列表登录项,而服务管理框架使用 API 调用。SMLoginItemSetEnabled |
|
| T1037 | 启动或登录初始化脚本 | 攻击者可以使用在启动或登录初始化时自动执行的脚本来建立持久性。初始化脚本可用于执行管理功能,这些功能通常可以执行其他程序或将信息发送到内部日志记录服务器。这些脚本可能因操作系统以及本地或远程应用而异。 | |
| .001 | 登录脚本 (Windows) | 攻击者可以使用在登录初始化时自动执行的 Windows 登录脚本来建立持久性。Windows 允许在特定用户或用户组登录到系统时运行登录脚本。这是通过将脚本的路径添加到注册表项来完成的。HKCU\Environment\UserInitMprLogonScript |
|
| .002 | 登录挂钩 | 攻击者可以使用登录挂钩来建立用户登录时执行的持久性。登录挂钩是一个 plist 文件,指向要在用户登录时以 root 权限执行的特定脚本。plist 文件位于文件中,可以使用命令行实用程序进行修改。此行为与注销挂钩相同,其中脚本可以在用户注销时执行。所有钩子都需要管理员权限才能修改或创建钩子。/Library/Preferences/com.apple.loginwindow.plist``defaults |
|
| .003 | 网络登录脚本 | 攻击者可以使用在登录初始化时自动执行的网络登录脚本来建立持久性。可以使用 Active Directory 或组策略对象分配网络登录脚本。这些登录脚本以分配给它们的用户的权限运行。根据网络中的系统,初始化其中一个脚本可能适用于多个或可能应用于所有系统。 | |
| .004 | RC 脚本 | 攻击者可以通过修改在类 Unix 系统启动期间执行的 RC 脚本来建立持久性。这些文件允许系统管理员在启动时针对不同的运行级别映射和启动自定义服务。RC 脚本需要 root 权限才能修改。 | |
| .005 | 启动项 | 攻击者可以使用在启动初始化时自动执行的启动项来建立持久性。启动项在引导过程的最后阶段执行,并包含 shell 脚本或其他可执行文件以及系统用于确定所有启动项的执行顺序的配置信息。 | |
| T1176 | 浏览器扩展 | 攻击者可能会滥用互联网浏览器扩展程序来建立对受害系统的持久访问。浏览器扩展或插件是可以添加功能和自定义 Internet 浏览器方面的小程序。它们可以直接安装,也可以通过浏览器的应用商店安装,并且通常可以访问和权限访问浏览器可以访问的所有内容。 | |
| T1554 | 泄露客户端软件二进制文件 | 攻击者可以修改客户端软件二进制文件以建立对系统的持久访问。客户端软件使用户能够访问服务器提供的服务。常见的客户端软件类型包括 SSH 客户端、FTP 客户端、电子邮件客户端和 Web 浏览器。 | |
| T1136 | 创建帐户 | 攻击者可以创建一个帐户来保持对受害者系统的访问。通过足够的访问级别,创建此类帐户可用于建立不需要在系统上部署持久远程访问工具的辅助凭据访问。 | |
| .001 | 本地帐户 | 攻击者可能会创建一个本地帐户来维护对受害系统的访问。本地帐户是由组织配置的帐户,供用户、远程支持、服务使用或在单个系统或服务上进行管理。具有足够的访问权限级别,该命令可用于创建本地帐户。在 macOS 系统上,该命令可用于创建本地帐户。本地帐户也可以添加到网络设备,通常通过常见的网络设备 CLI 命令(如 )。net user /add``dscl -create``username |
|
| .002 | 域帐户 | 攻击者可以创建一个域帐户来维护对受害系统的访问。域帐户是由 Active Directory 域服务管理的帐户,其中访问和权限是在属于该域的系统和服务之间配置的。域帐户可以涵盖用户、管理员和服务帐户。通过足够的访问级别,该命令可用于创建域帐户。net user /add /domain |
|
| .003 | 云帐户 | 攻击者可能会创建一个云帐户来保持对受害系统的访问。具有足够的访问级别,此类帐户可用于建立不需要在系统上部署持久远程访问工具的辅助凭据访问。 | |
| T1543 | 创建或修改系统进程 | 攻击者可能会创建或修改系统级进程,以重复执行恶意有效负载作为持久性的一部分。当操作系统启动时,它们可以启动执行后台系统功能的进程。在 Windows 和 Linux 上,这些系统进程称为服务。在 macOS 上,运行称为启动守护程序和启动代理的启动进程以完成系统初始化并加载用户特定的参数。 | |
| .001 | 启动代理 | 攻击者可能会创建或修改启动代理,以重复执行恶意有效负载作为持久性的一部分。当用户登录时,将启动每个用户启动的进程,该进程从 、 和 中找到的属性列表 (.plist) 文件加载每个按需启动用户代理的参数。属性列表文件使用 、 和 键来标识启动代理的名称、可执行文件位置和执行时间。安装启动代理通常是为了执行程序更新、在登录时启动用户指定的程序或执行其他开发人员任务。/System/Library/LaunchAgents``/Library/LaunchAgents``~/Library/LaunchAgents``Label``ProgramArguments ``RunAtLoad |
|
| .002 | 系统服务 | 攻击者可能会创建或修改 systemd 服务,以重复执行恶意负载作为持久性的一部分。Systemd 是一个系统和服务管理器,通常用于管理后台守护进程(也称为服务)和其他系统资源。Systemd 是许多 Linux 发行版上的默认初始化 (init) 系统,取代了传统的 init 系统,包括 SysVinit 和 Upstart,同时保持向后兼容。 | |
| .003 | 视窗服务 | 攻击者可能会创建或修改 Windows 服务,以重复执行恶意负载作为持久性的一部分。当 Windows 启动时,它会启动称为执行后台系统功能的服务的程序或应用程序。Windows 服务配置信息(包括服务的可执行文件或恢复程序/命令的文件路径)存储在 Windows 注册表中。 | |
| .004 | 启动守护进程 | 攻击者可能会创建或修改启动守护程序以执行恶意负载,作为持久性的一部分。启动守护程序是用于与 macOS 使用的服务管理框架 Launchd 交互的 plist 文件。启动守护程序需要提升的权限才能安装,在登录之前为系统上的每个用户执行,并在后台运行,无需用户交互。在 macOS 初始化启动期间,启动的进程会从 和 中找到的 plist 文件加载按需启动系统级守护程序的参数。必需的启动守护程序参数包括用于标识任务、提供可执行文件路径以及指定任务运行时间的 。启动守护程序通常用于提供对共享资源的访问、软件更新或执行自动化任务。/System/Library/LaunchDaemons/``/Library/LaunchDaemons/``Label``Program``RunAtLoad |
|
| T1546 | 事件触发的执行 | 攻击者可以使用基于特定事件触发执行的系统机制建立持久性和/或提升权限。各种操作系统都有监视和订阅事件(如登录)或其他用户活动(如运行特定应用程序/二进制文件)的方法。云环境还可以支持各种功能和服务,这些功能和服务可以监视并可以调用以响应特定的云事件。 | |
| .001 | 更改默认文件关联 | 攻击者可以通过执行由文件类型关联触发的恶意内容来建立持久性。打开文件时,将检查用于打开文件的默认程序(也称为文件关联或处理程序)。文件关联选择存储在 Windows 注册表中,可由具有注册表访问权限的用户、管理员或程序编辑,也可以由管理员使用内置的 assoc 实用程序进行编辑。应用程序可以修改给定文件扩展名的文件关联,以便在打开具有给定扩展名的文件时调用任意程序。 | |
| .002 | 屏幕保护程序 | 攻击者可以通过执行由用户不活动触发的恶意内容来建立持久性。屏幕保护程序是在用户不活动时间的可配置时间后执行的程序,由文件扩展名为 .scr 的可移植可执行 (PE) 文件组成。Windows 屏幕保护程序应用程序 scrnsave.scr 位于 和 64 位 Windows 系统上,以及基本 Windows 安装中包含的屏幕保护程序。C:\Windows\System32\``C:\Windows\sysWOW64\ |
|
| .003 | Windows Management Instrumentation Event Subscription | 攻击者可以通过执行由 Windows Management 规范 (WMI) 事件订阅触发的恶意内容来建立持久性和提升权限。WMI 可用于安装事件筛选器、提供程序、使用者和绑定,以便在发生定义的事件时执行代码。可以订阅的事件示例包括挂钟时间、用户登录或计算机的正常运行时间。 | |
| .004 | Unix Shell 配置修改 | 攻击者可以通过执行由用户 shell 触发的恶意命令来建立持久性。用户 Unix Shell根据事件在整个会话的不同点执行多个配置脚本。例如,当用户打开命令行界面或远程登录(例如通过 SSH )时,将启动登录 shell。登录 shell 执行来自系统 () 和用户主目录 () 的脚本来配置环境。系统上的所有登录外壳在启动时都使用 /etc/profile。这些配置脚本在其目录的权限级别运行,通常用于设置环境变量、创建别名和自定义用户的环境。当外壳退出或终止时,将执行其他外壳脚本以确保外壳正确退出。/etc``~/ |
|
| .005 | 陷阱 | 攻击者可以通过执行由中断信号触发的恶意内容来建立持久性。该命令允许程序和 shell 指定在接收中断信号时将执行的命令。一种常见的情况是允许正常终止和处理常见键盘中断(如 和 的脚本)。trap``ctrl+c``ctrl+d |
|
| .006 | LC_LOAD_DYLIB加法 | 攻击者可以通过执行由执行受污染的二进制文件触发的恶意内容来建立持久性。Mach-O 二进制文件具有一系列标头,用于在加载二进制文件时执行某些操作。Mach-O 二进制文件中的 LC_LOAD_DYLIB 标头告诉 macOS 和 OS X 在执行期间加载哪些动态库 (dylibs)。只要对其余字段和依赖项进行调整,就可以临时将这些字段添加到已编译的二进制文件中。有一些工具可用于执行这些更改。 | |
| .007 | Netsh Helper DLL | 攻击者可以通过执行由 Netsh 帮助程序 DLL 触发的恶意内容来建立持久性。 Netsh.exe(也称为 Netshell)是一个命令行脚本实用程序,用于与系统的网络配置进行交互。它包含添加帮助程序 DLL 以扩展实用工具功能的功能。已注册的 netsh.exe帮助程序 DLL 的路径将输入到 Windows 注册表中,网址为 。HKLM\SOFTWARE\Microsoft\Netsh |
|
| .008 | 辅助功能 | 攻击者可以通过执行由辅助功能触发的恶意内容来建立持久性和/或提升权限。Windows 包含辅助功能,这些功能可以在用户登录之前(例如:当用户在 Windows 登录屏幕上时)使用组合键启动。攻击者可以修改这些程序的启动方式,以便在不登录系统的情况下获取命令提示符或后门。 | |
| .009 | AppCert DLLs | 攻击者可以通过执行加载到进程中的 AppCert DLL 触发的恶意内容来建立持久性和/或提升权限。在注册表项中指定的动态链接库 (DLL) 将加载到调用常用的应用程序编程接口 (API) 函数 、、 或 的每个进程中。AppCertDLLs``HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\``CreateProcess``CreateProcessAsUser``CreateProcessWithLoginW``CreateProcessWithTokenW``WinExec |
|
| .010 | AppInit DLL | 攻击者可以通过执行加载到进程中的 AppInit DLL 触发的恶意内容来建立持久性和/或提升权限。在注册表项的值中指定的动态链接库 (DLL) 或由 user32.dll加载到加载 user32.dll的每个进程中。实际上,这几乎是每个程序,因为user32.dll是一个非常常见的库。AppInit_DLLs``HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows``HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows |
|
| .011 | 应用程序填充 | 攻击者可以通过执行由应用程序填充码触发的恶意内容来建立持久性和/或提升权限。创建Microsoft Windows 应用程序兼容性基础结构/框架(应用程序填充程序)是为了允许在操作系统代码库随时间变化时向后兼容软件。例如,应用程序填充功能允许开发人员将修补程序应用于为 Windows XP 创建的应用程序(无需重写代码),以便它适用于 Windows 10。 | |
| .012 | 图像文件执行选项注入 | 攻击者可以通过执行由映像文件执行选项 (IFEO) 调试器触发的恶意内容来建立持久性和/或提升权限。IFEO 使开发人员能够将调试器附加到应用程序。创建进程时,应用程序的 IFEO 中存在的调试器将附加到应用程序名称前面,从而有效地在调试器下启动新进程(例如,)。C:\dbg\ntsd.exe -g notepad.exe |
|
| .013 | PowerShell Profile | 攻击者可能会通过执行由 PowerShell 配置文件触发的恶意内容来获得持久性并提升权限。PowerShell 配置文件 () 是在 PowerShell 启动时运行的脚本,可用作自定义用户环境的登录脚本。profile.ps1 |
|
| .014 | 埃蒙德 | 攻击者可以通过执行由事件监视程序守护程序 (emond) 触发的恶意内容来获得持久性和提升权限。Emond 是一个启动守护进程,它接受来自各种服务的事件,通过简单的规则引擎运行它们,然后采取行动。emond 二进制文件将从目录中加载任何规则,并在发生显式定义的事件后采取措施。/sbin/emond``/etc/emond.d/rules/ |
|
| .015 | 组件对象模型劫持 | 攻击者可以通过执行由对组件对象模型 (COM) 对象的劫持引用触发的恶意内容来建立持久性。COM 是 Windows 中的一个系统,用于通过操作系统实现软件组件之间的交互。对各种 COM 对象的引用存储在注册表中。 | |
| .016 | 安装程序包 | 攻击者可能会通过使用安装程序触发恶意内容的执行来建立持久性并提升权限。安装程序包特定于操作系统,包含操作系统在系统上安装应用程序所需的资源。安装程序包可以包括在安装之前以及安装完成后运行的脚本。安装程序脚本在执行时可能会继承提升的权限。开发人员经常使用这些脚本来准备安装环境、检查要求、下载依赖项以及在安装后删除文件。 | |
| T1133 | 外部远程服务 | 攻击者可能会利用面向外部的远程服务来最初访问和/或保留在网络中。远程服务(如 VPN、Citrix 和其他访问机制)允许用户从外部位置连接到内部企业网络资源。通常有远程服务网关来管理这些服务的连接和凭据身份验证。Windows远程管理和VNC等服务也可以在外部使用。 | |
| T1574 | 劫持执行流程 | 攻击者可以通过劫持操作系统运行程序的方式来执行自己的恶意负载。劫持执行流可以用于持久性,因为这种劫持的执行可能会随着时间的推移而重新发生。攻击者还可以使用这些机制来提升权限或规避防御,例如应用程序控制或其他执行限制。 | |
| .001 | DLL 搜索顺序劫持 | 攻击者可能会通过劫持用于加载 DLL 的搜索顺序来执行自己的恶意负载。 Windows 系统使用一种常用方法来查找要加载到程序中所需的 DLL。劫持 DLL 加载可能是为了建立持久性以及提升权限和/或逃避对文件执行的限制。 | |
| .002 | DLL 旁加载 | 攻击者可能会通过旁加载 DLL 来执行自己的恶意负载。 与 DLL 搜索顺序劫持类似,旁加载涉及劫持程序加载的 DLL。但是,攻击者不仅可以在程序的搜索顺序中植入 DLL,然后等待调用受害应用程序,而是可以通过植入然后调用执行其有效负载的合法应用程序来直接旁加载其有效负载。 | |
| .004 | 迪利布劫持 | 攻击者可以通过在受害者应用程序在运行时搜索的路径中放置具有预期名称的恶意动态库 (dylib) 来执行自己的有效负载。动态加载程序将尝试根据搜索路径的顺序查找 dylib。dylibs 的路径可以以 为前缀,这允许开发人员使用相对路径根据可执行文件的位置指定运行时使用的搜索路径数组。此外,如果使用弱链接(例如函数),即使不存在预期的 dylib,应用程序仍将执行。弱链接使开发人员能够在添加新 API 时在多个 macOS 版本上运行应用程序。@rpath``LC_LOAD_WEAK_DYLIB |
|
| .005 | 可执行安装程序文件权限弱点 | 攻击者可以通过劫持安装程序使用的二进制文件来执行自己的恶意负载。这些进程可能会自动执行特定的二进制文件作为其功能的一部分或执行其他操作。如果对包含目标二进制文件的文件系统目录的权限或对二进制文件本身的权限设置不正确,则目标二进制文件可能会被使用用户级权限的另一个二进制文件覆盖,并由原始进程执行。如果原始进程和线程在更高的权限级别下运行,则替换的二进制文件也将在更高级别的权限下执行,其中可能包括 SYSTEM。 | |
| .006 | 动态链接器劫持 | 攻击者可能会通过劫持动态链接器用于加载共享库的环境变量来执行自己的恶意负载。在程序的执行准备阶段,动态链接器从环境变量和文件(例如在 Linux 或 macOS 上)加载共享库的指定绝对路径。首先加载环境变量中指定的库,优先于具有相同函数名称的系统库。开发人员通常使用这些变量来调试二进制文件而无需重新编译、消除映射符号的冲突以及实现自定义函数而无需更改原始库。LD_PRELOAD``DYLD_INSERT_LIBRARIES |
|
| .007 | 路径环境变量的路径拦截 | 攻击者可以通过劫持用于加载库的环境变量来执行自己的恶意负载。攻击者可能会将程序放在存储在 PATH 环境变量中的目录列表中的较早条目中,然后 Windows 将在按顺序搜索该 PATH 列表以搜索从脚本或命令行调用的二进制文件时执行该条目。 | |
| .008 | 通过搜索顺序劫持进行路径拦截 | 攻击者可以通过劫持用于加载其他程序的搜索顺序来执行自己的恶意负载。由于某些程序不使用完整路径调用其他程序,因此攻击者可能会将自己的文件放在调用程序所在的目录中,从而导致操作系统应调用程序的请求启动其恶意软件。 | |
| .009 | 通过不带引号的路径拦截 | 攻击者可以通过劫持易受攻击的文件路径引用来执行自己的恶意负载。攻击者可以通过将可执行文件放置在路径内的更高级别目录中来利用缺少周围引号的路径,以便 Windows 选择要启动的对手的可执行文件。 | |
| .010 | 服务文件权限弱点 | 攻击者可以通过劫持服务使用的二进制文件来执行自己的恶意负载。攻击者可能会利用 Windows 服务权限中的缺陷来替换在服务启动时执行的二进制文件。这些服务进程可能会自动执行特定的二进制文件,作为其功能的一部分或执行其他操作。如果对包含目标二进制文件的文件系统目录的权限或对二进制文件本身的权限设置不正确,则目标二进制文件可能会被使用用户级权限的另一个二进制文件覆盖,并由原始进程执行。如果原始进程和线程在更高的权限级别下运行,则替换的二进制文件也将在更高级别的权限下执行,其中可能包括 SYSTEM。 | |
| .011 | 服务注册表权限弱点 | 攻击者可以通过劫持服务使用的注册表项来执行自己的恶意负载。攻击者可能会利用与服务相关的注册表项权限中的缺陷,从最初指定的可执行文件重定向到他们控制的可执行文件,以便在服务启动时启动自己的代码。Windows 将本地服务配置信息存储在注册表中的 下。可以通过服务控制器、sc.exe、PowerShell 或 Reg 等工具操作存储在服务的注册表项下的信息来修改服务的执行参数。对注册表项的访问通过访问控制列表和用户权限进行控制。HKLM\SYSTEM\CurrentControlSet\Services |
|
| .012 | COR_PROFILER | 攻击者可以利用COR_PROFILER环境变量劫持加载 .NET CLR 的程序的执行流。COR_PROFILER是一项 .NET Framework 功能,它允许开发人员指定要加载到加载公共语言运行时 (CLR) 的每个 .NET 进程中的非托管(或 .NET 外部)分析 DLL。这些探查器旨在监视、排查和调试由 .NET CLR 执行的托管代码。 | |
| .013 | 内核回调表 | 攻击者可能会滥用进程来劫持其执行流,以便运行自己的有效负载。可以在进程环境块 (PEB) 中找到,并在加载后初始化为 GUI 进程可用的图形函数数组。KernelCallbackTable``KernelCallbackTable``user32.dll |
|
| T1525 | 植入物内部图像 | 攻击者可能会在获得对环境的访问权限后植入带有恶意代码的云或容器映像,以建立持久性。Amazon Web Services (AWS) Amazon Machine Images (AMI)、Google Cloud Platform (GCP) Images 和 Azure Images 以及流行的容器运行时(如 Docker)都可以植入或后门。与上传恶意软件不同,此技术侧重于在受害者环境中的注册表中植入映像的对手。根据基础结构的预配方式,如果指示基础结构预配工具始终使用最新映像,则可以提供持久访问。 | |
| T1556 | 修改身份验证过程 | 攻击者可能会修改身份验证机制和流程以访问用户凭据或启用对帐户的无根据访问。身份验证过程由机制处理,例如 Windows 上的本地安全身份验证服务器 (LSASS) 进程和安全帐户管理器 (SAM)、基于 Unix 的系统上的可插入身份验证模块 (PAM) 以及 MacOS 系统上的授权插件,负责收集、存储和验证凭据。通过修改身份验证过程,攻击者可能能够在不使用有效帐户的情况下对服务或系统进行身份验证。 | |
| .001 | 域控制器身份验证 | 攻击者可能会修补域控制器上的身份验证过程,以绕过典型的身份验证机制并启用对帐户的访问。 | |
| .002 | 密码筛选器 DLL | 攻击者可能会将恶意密码筛选器动态链接库 (DLL) 注册到身份验证过程中,以便在验证用户凭据时获取用户凭据。 | |
| .003 | 可插拔身份验证模块 | 攻击者可以修改可插入身份验证模块 (PAM) 以访问用户凭据或启用对帐户的无保证访问。PAM 是配置文件、库和可执行文件的模块化系统,用于指导许多服务的身份验证。最常见的身份验证模块是 ,它检索、设置和验证 和 中的帐户身份验证信息。pam_unix.so``/etc/passwd``/etc/shadow |
|
| .004 | 网络设备身份验证 | 攻击者可以使用修补程序系统映像在操作系统中对密码进行硬编码,从而绕过网络设备上本地帐户的本机身份验证机制。 | |
| .005 | 可逆加密 | 攻击者可能会滥用 Active Directory 身份验证加密属性来获取对 Windows 系统上凭据的访问权限。该属性指定是启用还是禁用帐户的可逆密码加密。默认情况下,此属性处于禁用状态(而是将用户凭据存储为单向哈希函数的输出),除非旧版或其他软件需要,否则不应启用此属性。AllowReversiblePasswordEncryption |
|
| .006 | 多重身份验证 | 攻击者可能会禁用或修改多重身份验证 (MFA) 机制,以启用对受损帐户的持久访问。 | |
| .007 | 混合标识 | 攻击者可能会修补、修改或以其他方式后门云身份验证过程,这些过程绑定到本地用户标识,以便绕过典型的身份验证机制、访问凭据并启用对帐户的持久访问。 | |
| .008 | 网络提供程序 DLL | 攻击者可能会注册恶意网络提供程序动态链接库 (DLL),以便在身份验证过程中捕获明文用户凭据。网络提供程序 DLL 允许 Windows 与特定网络协议进行交互,还可以支持加载项凭据管理功能。在登录过程中,Winlogon(交互式登录模块)通过 RPC 将凭据发送到本地进程。然后,当通知正在发生登录事件时,该过程会以明文形式与已注册的凭据管理器共享凭据。mpnotify.exe``mpnotify.exe |
|
| T1137 | 办公应用程序启动 | 攻击者可以利用基于 Office Microsoft应用程序在启动之间实现持久性。Microsoft Office是企业网络中基于Windows的操作系统上相当常见的应用程序套件。启动基于 Office 的应用程序时,有多种机制可以与 Office 一起使用以实现持久性;这可以包括使用 Office 模板宏和外接程序。 | |
| .001 | 办公模板宏 | 攻击者可能会滥用 Office 模板Microsoft在受感染的系统上获得持久性。Microsoft Office 包含的模板是常见 Office 应用程序的一部分,用于自定义样式。每次启动应用程序时都会使用应用程序中的基本模板。 | |
| .002 | 办公室测试 | 攻击者可能会滥用 Microsoft Office“Office 测试”注册表项来获取受感染系统上的持久性。存在一个 Office 测试注册表位置,该位置允许用户指定每次启动 Office 应用程序时将执行的任意 DLL。Microsoft认为此注册表项用于在开发 Office 应用程序时加载 DLL 以进行测试和调试。默认情况下,不会在 Office 安装过程中创建此注册表项。 | |
| .003 | 展望表单 | 攻击者可能会滥用 Outlook 窗体Microsoft在受感染的系统上获得持久性。Outlook 窗体用作 Outlook 邮件中的演示文稿和功能的模板。可以创建自定义 Outlook 窗体,当对手使用相同的自定义 Outlook 窗体发送特制电子邮件时,这些窗体将执行代码。 | |
| .004 | 展望主页 | 攻击者可能会滥用 Outlook 的主页功能Microsoft在受感染的系统上获得持久性。Outlook 主页是用于自定义 Outlook 文件夹的显示的旧功能。此功能允许在打开文件夹时加载和显示内部或外部 URL。可以构建恶意 HTML 页面,该页面将在 Outlook 主页加载时执行代码。 | |
| .005 | 展望规则 | 攻击者可能会滥用 Outlook 规则Microsoft在受感染的系统上获得持久性。Outlook 规则允许用户定义自动行为来管理电子邮件。例如,如果电子邮件包含来自特定发件人的特定单词,则良性规则可能会自动将电子邮件移动到 Outlook 中的特定文件夹。可以创建恶意 Outlook 规则,当攻击者向该用户发送特制电子邮件时,这些规则可能会触发代码执行。 | |
| .006 | 加载项 | 攻击者可能会滥用 Office 外接程序Microsoft在受感染的系统上获得持久性。Office 加载项可用于向 Office 程序添加功能。各种 Office 产品可以使用不同类型的加载项;包括 Word/Excel 加载项库 (WLL/XLL)、VBA 加载项、Office 组件对象模型 (COM) 加载项、自动化加载项、VBA 编辑器 (VBE)、Visual Studio Tools for Office (VSTO) 加载项和 Outlook 加载项。 | |
| T1542 | 预操作系统启动 | 攻击者可能会滥用预操作系统引导机制作为在系统上建立持久性的一种方式。在计算机的启动过程中,固件和各种启动服务在操作系统之前加载。这些程序在操作系统控制之前控制执行流。 | |
| .001 | 系统固件 | 攻击者可能会修改系统固件以保留在系统上。BIOS(基本输入/输出系统)和统一可扩展固件接口 (UEFI) 或可扩展固件接口 (EFI) 是作为计算机操作系统和硬件之间的软件接口运行的系统固件的示例。 | |
| .002 | 组件固件 | 攻击者可能会修改组件固件以保留在系统上。某些攻击者可能会采用复杂的方法来破坏计算机组件并安装恶意固件,这些固件将在操作系统和主系统固件或 BIOS 之外执行对手代码。此技术可能类似于系统固件,但在可能不具有相同功能或完整性检查级别的其他系统组件/设备上执行。 | |
| .003 | 引导套件 | 攻击者可以使用引导工具包在系统上保留。引导工具包驻留在操作系统下方的一层,并且可能难以执行完全修正,除非组织怀疑使用了引导工具包并可以采取相应的措施。 | |
| .004 | 罗蒙基特 | 攻击者可能会滥用 ROM 监视器 (ROMMON),方法是使用对手代码加载未经授权的固件,以提供持久访问并操纵难以检测的设备行为。 | |
| .005 | TFTP 启动 | 攻击者可能会滥用网络引导从简单文件传输协议 (TFTP) 服务器加载未经授权的网络设备操作系统。TFTP 引导(网络引导)通常由网络管理员用于从集中式管理服务器加载配置控制的网络设备映像。网络引导是引导序列中的一个选项,可用于集中、管理和控制设备映像。 | |
| T1053 | 计划任务/作业 | 攻击者可能会滥用任务计划功能来促进恶意代码的初始或重复执行。所有主要操作系统中都存在实用程序,用于安排在指定日期和时间执行的程序或脚本。如果满足正确的身份验证(例如:Windows 环境中的 RPC 以及文件和打印机共享),也可以在远程系统上计划任务。在远程系统上计划任务通常需要成为远程系统上的管理员或其他特权组的成员。 | |
| .002 | At | 攻击者可能会滥用 at 实用程序来执行任务调度,以便初始或重复执行恶意代码。at 实用程序作为可执行文件存在于 Windows、Linux 和 macOS 中,用于在指定的时间和日期安排任务。尽管在 Windows 环境中已弃用计划任务的 schtasks,但使用 at 要求任务计划程序服务正在运行,并且用户必须以本地管理员组的成员身份登录。 | |
| .003 | Cron | 攻击者可能会滥用该实用程序来执行任务调度,以初始或重复执行恶意代码。该实用程序是用于类Unix操作系统的基于时间的作业调度程序。该文件包含要运行的 cron 条目的计划和指定的执行时间。任何文件都存储在特定于操作系统的文件路径中。cron``cron`` crontab``crontab |
|
| .005 | 计划任务 | 攻击者可能会滥用 Windows 任务计划程序来执行任务计划,以便初始或定期执行恶意代码。有多种方法可以在 Windows 中访问任务计划程序。schtasks 实用程序可以直接在命令行上运行,也可以通过控制面板的“管理员工具”部分中的 GUI 打开任务计划程序。在某些情况下,攻击者对 Windows 任务计划程序使用 .NET 包装器,或者,攻击者使用 Windows netapi32 库创建计划任务。 | |
| .006 | 系统定时器 | 攻击者可能会滥用 systemd 计时器来执行任务调度,以初始或重复执行恶意代码。Systemd 计时器是具有文件扩展名的单元文件,用于控制服务。计时器可以设置为在日历事件上运行,也可以在相对于起点的时间跨度后运行。它们可以在Linux环境中用作Cron的替代品。Systemd 定时器可以通过命令行实用程序远程激活,该实用程序通过 SSH 运行。.timer``systemctl |
|
| .007 | 容器编排作业 | 攻击者可能会滥用容器编排工具(如 Kubernetes)提供的任务调度功能来调度配置为执行恶意代码的容器的部署。容器业务流程作业在特定日期和时间运行这些自动化任务,类似于 Linux 系统上的 cron 作业。还可以将这种类型的部署配置为随着时间的推移维护一定数量的容器,从而自动执行在集群中维护持久性的过程。 | |
| T1505 | 服务器软件组件 | 攻击者可能会滥用服务器的合法可扩展开发功能来建立对系统的持久访问。企业服务器应用程序可能包括允许开发人员编写和安装软件或脚本以扩展主应用程序功能的功能的功能。攻击者可能会安装恶意组件来扩展和滥用服务器应用程序。 | |
| .001 | SQL 存储过程 | 攻击者可能会滥用 SQL 存储过程来建立对系统的持久访问。SQL 存储过程是可以保存和重用的代码,以便数据库用户不会浪费时间重写常用的 SQL 查询。可以使用过程名称通过 SQL 语句或定义的事件(例如,当 SQL Server 应用程序启动/重新启动时)向数据库调用存储过程。 | |
| .002 | 传输代理 | 攻击者可能会滥用Microsoft传输代理来建立对系统的持久访问。Microsoft Exchange 传输代理可以对通过传输管道传递的电子邮件进行操作,以执行各种任务,例如筛选垃圾邮件、筛选恶意附件、日记或将公司签名添加到所有传出电子邮件的末尾。传输代理可以由应用程序开发人员编写,然后编译为随后向 Exchange 服务器注册的 .NET 程序集。传输代理将在电子邮件处理的指定阶段被调用,并执行开发人员定义的任务。 | |
| .003 | 网页外壳 | 攻击者可能会使用 Web 外壳对 Web 服务器进行后门,以建立对系统的持久访问。Web shell 是放置在可公开访问的 Web 服务器上的 Web 脚本,以允许攻击者将该 Web 服务器用作进入网络的网关。Web 外壳可以提供一组要执行的函数或在承载 Web 服务器的系统上提供命令行界面。 | |
| .004 | IIS 组件 | 攻击者可能会安装运行在 Internet 信息服务 (IIS) Web 服务器上的恶意组件以建立持久性。IIS 提供了几种机制来扩展 Web 服务器的功能。例如,可以安装因特网服务器应用程序编程接口 (ISAPI) 扩展和筛选器来检查和/或修改传入和传出的 IIS Web 请求。扩展和筛选器部署为 DLL 文件,这些文件导出三个函数:、 和(可选)。还可以安装 IIS 模块来扩展 IIS Web 服务器。Get{Extension/Filter}Version``Http{Extension/Filter}Proc``Terminate{Extension/Filter} |
|
| .005 | 终端服务 DLL | 攻击者可能会滥用终端服务的组件来启用对系统的持久访问。Microsoft终端服务(自 2022 年起在某些 Windows Server 操作系统中重命名为远程桌面服务)启用与主机的远程终端连接。终端服务允许服务器通过 RDP 向客户端传输完整的交互式图形用户界面。 | |
| T1205 | 交通信号 | 攻击者可以使用流量信号来隐藏用于持久性或命令和控制的开放端口或其他恶意功能。流量信令涉及使用魔术值或序列,必须将其发送到系统以触发特殊响应,例如打开关闭的端口或执行恶意任务。这可以采取在打开对手可用于命令和控制的端口之前发送一系列具有某些特征的数据包的形式。通常,这一系列数据包包括尝试连接到预定义的封闭端口序列(即端口敲击),但可能涉及异常标志、特定字符串或其他独特特征。序列完成后,打开端口可以通过基于主机的防火墙完成,但也可以通过自定义软件实现。 | |
| .001 | 端口敲门 | 攻击者可能会使用端口敲击来隐藏用于持久性或命令和控制的开放端口。为了启用端口,攻击者会向预定义的关闭端口序列发送一系列尝试的连接。序列完成后,打开端口通常由基于主机的防火墙完成,但也可以通过自定义软件实现。 | |
| .002 | 插座过滤器 | 攻击者可以将过滤器连接到网络套接字,以监视然后激活用于持久性或命令和控制的后门。通过提升的权限,攻击者可以使用库等功能打开套接字并安装筛选器,以允许或禁止某些类型的数据通过套接字。过滤器可能适用于通过指定网络接口(如果未指定,则应用于每个接口)的所有流量。当网络接口收到与筛选条件匹配的数据包时,可以在主机上触发其他操作,例如激活反向外壳。libpcap |
|
| T1078 | 有效帐户 | 攻击者可能会获取和滥用现有帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。泄露的凭据可用于绕过对网络中系统上各种资源的访问控制,甚至可用于对远程系统和外部可用服务(如 VPN、Outlook Web 访问、网络设备和远程桌面)的持久访问。泄露的凭据还可能授予攻击者对特定系统或访问网络受限区域的更多权限。攻击者可以选择不将恶意软件或工具与这些凭据提供的合法访问权限结合使用,以使其更难检测到它们的存在。 | |
| .001 | 默认帐户 | 攻击者可能会获取和滥用默认帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。默认帐户是内置于操作系统中的帐户,例如 Windows 系统上的来宾或管理员帐户。默认账户还包括其他类型的系统、软件或设备上的默认工厂/提供商集账户,包括 AWS 中的根用户账户和 Kubernetes 中的默认服务账户。 | |
| .002 | 域帐户 | 攻击者可能会获取和滥用域帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。域帐户是由 Active Directory 域服务管理的帐户,其中访问和权限是在属于该域的系统和服务之间配置的。域帐户可以涵盖用户、管理员和服务。 | |
| .003 | 本地帐户 | 攻击者可能会获取和滥用本地帐户的凭据,作为获取初始访问、持久性、权限提升或防御规避的一种手段。本地帐户是由组织配置的帐户,供用户、远程支持、服务使用或在单个系统或服务上进行管理。 | |
| .004 | 云帐户 | 攻击者可能会获取和滥用云帐户的凭据,作为获取初始访问、持久性、权限提升或防御规避的一种手段。云帐户是由组织创建和配置的帐户,供用户、远程支持、服务使用,或用于管理云服务提供商或 SaaS 应用程序中的资源。在某些情况下,云帐户可能与传统的身份管理系统(如 Windows Active Directory)联合。 |
The adversary is trying to maintain their foothold.
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Techniques: 19
| ID | Name | Description | |
|---|---|---|---|
| T1098 | Account Manipulation | Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. | |
| .001 | Additional Cloud Credentials | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. | |
| .002 | Additional Email Delegate Permissions | Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. | |
| .003 | Additional Cloud Roles | An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins). | |
| .004 | SSH Authorized Keys | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys. Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. |
|
| .005 | Device Registration | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. | |
| T1197 | BITS Jobs | Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. | |
| T1547 | Boot or Logon Autostart Execution | Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. | |
| .001 | Registry Run Keys / Startup Folder | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. | |
| .002 | Authentication Package | Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. | |
| .003 | Time Providers | Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. | |
| .004 | Winlogon Helper DLL | Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. |
|
| .005 | Security Support Provider | Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. | |
| .006 | Kernel Modules and Extensions | Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. | |
| .007 | Re-opened Applications | Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon. |
|
| .008 | LSASS Driver | Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. | |
| .009 | Shortcut Modification | Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. | |
| .010 | Port Monitors | Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. |
|
| .012 | Print Processors | Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. | |
| .013 | XDG Autostart Entries | Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension. |
|
| .014 | Active Setup | Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. | |
| .015 | Login Items | Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. |
|
| T1037 | Boot or Logon Initialization Scripts | Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. | |
| .001 | Logon Script (Windows) | Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key. |
|
| .002 | Login Hook | Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks. |
|
| .003 | Network Logon Script | Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. | |
| .004 | RC Scripts | Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. | |
| .005 | Startup Items | Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. | |
| T1176 | Browser Extensions | Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. | |
| T1554 | Compromise Client Software Binary | Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. | |
| T1136 | Create Account | Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. | |
| .001 | Local Account | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username. |
|
| .002 | Domain Account | Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account. |
|
| .003 | Cloud Account | Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. | |
| T1543 | Create or Modify System Process | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. | |
| .001 | Launch Agent | Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents. Property list files use the Label, ProgramArguments, and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. |
|
| .002 | Systemd Service | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. | |
| .003 | Windows Service | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. | |
| .004 | Launch Daemon | Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks. |
|
| T1546 | Event Triggered Execution | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. | |
| .001 | Change Default File Association | Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. | |
| .002 | Screensaver | Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. |
|
| .003 | Windows Management Instrumentation Event Subscription | Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. | |
| .004 | Unix Shell Configuration Modification | Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. |
|
| .005 | Trap | Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. |
|
| .006 | LC_LOAD_DYLIB Addition | Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. | |
| .007 | Netsh Helper DLL | Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. |
|
| .008 | Accessibility Features | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. | |
| .009 | AppCert DLLs | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. |
|
| .010 | AppInit DLLs | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. |
|
| .011 | Application Shimming | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. | |
| .012 | Image File Execution Options Injection | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). |
|
| .013 | PowerShell Profile | Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. |
|
| .014 | Emond | Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. |
|
| .015 | Component Object Model Hijacking | Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. | |
| .016 | Installer Packages | Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation. | |
| T1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally. | |
| T1574 | Hijack Execution Flow | Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. | |
| .001 | DLL Search Order Hijacking | Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. | |
| .002 | DLL Side-Loading | Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). | |
| .004 | Dylib Hijacking | Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. |
|
| .005 | Executable Installer File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. | |
| .006 | Dynamic Linker Hijacking | Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library. |
|
| .007 | Path Interception by PATH Environment Variable | Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. | |
| .008 | Path Interception by Search Order Hijacking | Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. | |
| .009 | Path Interception by Unquoted Path | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. | |
| .010 | Services File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. | |
| .011 | Services Registry Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. |
|
| .012 | COR_PROFILER | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. | |
| .013 | KernelCallbackTable | Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded. |
|
| T1525 | Implant Internal Image | Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image. | |
| T1556 | Modify Authentication Process | Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts. | |
| .001 | Domain Controller Authentication | Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. | |
| .002 | Password Filter DLL | Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. | |
| .003 | Pluggable Authentication Modules | Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow. |
|
| .004 | Network Device Authentication | Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. | |
| .005 | Reversible Encryption | An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. |
|
| .006 | Multi-Factor Authentication | Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. | |
| .007 | Hybrid Identity | Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. | |
| .008 | Network Provider DLL | Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. |
|
| T1137 | Office Application Startup | Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. | |
| .001 | Office Template Macros | Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. | |
| .002 | Office Test | Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation. | |
| .003 | Outlook Forms | Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. | |
| .004 | Outlook Home Page | Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page. | |
| .005 | Outlook Rules | Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user. | |
| .006 | Add-ins | Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. | |
| T1542 | Pre-OS Boot | Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. | |
| .001 | System Firmware | Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. | |
| .002 | Component Firmware | Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking. | |
| .003 | Bootkit | Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. | |
| .004 | ROMMONkit | Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. | |
| .005 | TFTP Boot | Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. | |
| T1053 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. | |
| .002 | At | Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. | |
| .003 | Cron | Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. |
|
| .005 | Scheduled Task | Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. | |
| .006 | Systemd Timers | Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH. |
|
| .007 | Container Orchestration Job | Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. | |
| T1505 | Server Software Component | Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications. | |
| .001 | SQL Stored Procedures | Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). | |
| .002 | Transport Agent | Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. | |
| .003 | Web Shell | Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. | |
| .004 | IIS Components | Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers. |
|
| .005 | Terminal Services DLL | Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP. | |
| T1205 | Traffic Signaling | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. | |
| .001 | Port Knocking | Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. | |
| .002 | Socket Filters | Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. |
|
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. | |
| .001 | Default Accounts | Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. | |
| .002 | Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. | |
| .003 | Local Accounts | Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. | |
| .004 | Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory. |