启动或登录初始化脚本是攻击者通过篡改系统启动或用户登录时自动执行的脚本实现持久化的技术,通常利用组策略、计划任务或Shell配置文件等机制加载恶意代码。防御方可通过监控系统关键脚本目录的异常修改、分析脚本执行上下文权限变化、检测非常规进程创建行为等手段进行防护,重点关注非管理员时段的脚本变更及非常用程序的初始化加载。
为规避传统检测方法对脚本内容静态分析、执行行为监控的防御优势,攻击者发展出模块化、智能化、动态化的新型隐蔽持久化技术。通过将恶意功能解耦为多个互为校验的组件,并深度适配目标系统运行环境,实现在不破坏系统正常功能前提下的隐蔽驻留。
当前启动脚本匿迹技术的核心演进方向体现在三个层面:在存储维度,采用分散式数据隐藏技术将攻击要素融入系统合法数据结构;在执行维度,构建环境感知与动态加载机制实现攻击逻辑的情景化激活;在交互维度,通过加密通信与合法协议伪装确保攻击链路的隐蔽性。合法脚本注入技术利用系统可信执行流作为保护伞,通过字节级精准篡改规避哈希校验;动态脚本加载技术建立云端武器库与本地加载器的协同机制,降低本地攻击特征密度;环境感知触发技术引入多维环境指纹验证,确保攻击行为与业务场景的高度同步;凭证混淆存储技术重构敏感数据处理流程,破坏防御方的情报关联能力。这些技术的共性在于突破传统恶意脚本的静态特征限制,通过系统特性的武器化利用实现持久化链路的"去恶意化"表征。
匿迹技术的演进导致传统基于脚本特征签名、进程行为规则的检测体系面临失效风险。防御方需构建运行时内存取证、环境异常关联分析等深度检测能力,同时实施脚本执行路径完整性验证,并建立跨节点的初始化行为基线模型,才能有效应对新型隐蔽持久化威胁。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过篡改合法系统脚本实现恶意代码的深度寄生,保持原始脚本的数字签名、文件属性等表面特征。将攻击载荷嵌入系统标准运维流程(如组策略更新、日志轮转),使恶意行为在进程树、网络连接等维度呈现合法特征。
采用环境感知触发机制,仅在特定硬件配置、网络环境或时间窗口激活攻击模块。通过模拟正常管理任务的资源占用模式,使得恶意代码执行过程与合法运维行为在CPU、内存等维度无法区分。
对窃取的凭证、配置信息进行多层加密与分散存储,利用系统组件(如注册表、证书存储)的合法功能实现数据加解密。网络通信采用HTTPS等加密协议传输控制指令,隐藏C2基础设施的真实地址。
动态脚本加载技术将攻击链拆解为多阶段、多节点的离散操作,通过云端武器库按需分发载荷。低频触发机制结合智能休眠策略,使恶意活动间隔时间远超常规检测窗口,稀释行为特征的时间相关性。
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 |
APT29 has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup.[1] |
| G0096 | APT41 |
APT41 used a hidden shell script in |
| G0106 | Rocke |
Rocke has installed an "init.d" startup script to maintain persistence.[3] |
| S1078 | RotaJakiro |
Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a |
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions |
Restrict write access to logon scripts to specific administrators. |
| M1024 | Restrict Registry Permissions |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0026 | Active Directory | Active Directory Object Modification |
Monitor for changes made in the Active Directory that may use scripts automatically executed at boot or logon initialization to establish persistence. |
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may consist of logon scripts for unusual access by abnormal users or at abnormal times. |
| DS0022 | File | File Creation |
Monitor for newly constructed files that may use scripts automatically executed at boot or logon initialization to establish persistence. |
| File Modification |
Monitor for changes made to files that are modified by unusual accounts outside of normal administration duties. |
||
| DS0009 | Process | Process Creation |
Monitor for newly executed processes that may use scripts automatically executed at boot or logon initialization to establish persistence. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key Analytic 1 - Boot or Logon Initialization Scripts
|
| DS0024 | Windows Registry | Windows Registry Key Creation |
Monitor for newly constructed windows registry keys that may use scripts automatically executed at boot or logon initialization to establish persistence. |