-
Notifications
You must be signed in to change notification settings - Fork 6
/
attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json
80 lines (80 loc) · 5.93 KB
/
attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1574.011",
"url": "https://attack.mitre.org/techniques/T1574/011"
},
{
"external_id": "CAPEC-478",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/478.html"
},
{
"source_name": "Registry Key Security",
"url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN",
"description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017."
},
{
"source_name": "Kansa Service related collectors",
"url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html",
"description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019."
},
{
"source_name": "Tweet Registry Perms Weakness",
"url": "https://twitter.com/r0wdy_/status/936365549553991680",
"description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018."
},
{
"source_name": "Autoruns for Windows",
"url": "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"description": "Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020."
}
],
"created_by_ref": "The MITRE Corporation",
"name": "Services Registry Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under <code>HKLM\\SYSTEM\\CurrentControlSet\\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: Registry Key Security)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness) ",
"id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2020-09-16T19:07:48.590Z",
"created": "2020-03-13T11:42:14.444Z",
"x_mitre_defense_bypassed": [
"Application control"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_effective_permissions": [
"SYSTEM"
],
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
"x_mitre_data_sources": [
"Windows Registry",
"Services",
"Process command-line parameters"
],
"x_mitre_contributors": [
"Travis Smith, Tripwire",
"Matthew Demaske, Adaptforward"
],
"x_mitre_platforms": [
"Windows"
]
}