防御规避漏洞利用指攻击者通过利用系统或安全软件的漏洞绕过防御机制,通常针对安全产品自身缺陷(如杀毒软件逻辑漏洞)或云平台防护弱点(如元数据API漏洞)实施定向突破。传统检测方法依赖异常进程行为监控(如未签名的驱动加载)、内存修改检测或云日志异常分析,防御措施包括强化驱动签名验证、实施内存保护机制(如HVCI)及完善云服务访问控制策略。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ❌ |
攻击者通过合法进程注入和云服务API调用,将漏洞利用行为伪装成系统正常操作。例如内存驻留技术利用合法进程上下文执行恶意代码,云API滥用将攻击指令嵌入标准元数据查询,使得漏洞利用流量在协议特征、进程行为层面与合法操作高度一致。
针对安全软件逻辑漏洞的利用,攻击者通过未公开的零日漏洞突破防御机制,使得传统基于已知漏洞特征或行为规则的检测手段失效。此类攻击利用防御体系自身的盲区实现"透明化"突破,防御方难以通过常规监控发现异常。
内存驻留技术全程规避磁盘写入,攻击载荷仅在易失性内存中存在,传统基于文件扫描的检测机制无法获取有效数据。云API滥用则通过HTTPS加密通道传输攻击指令,防御方无法直接解析恶意查询内容,形成数据层面的全面遮蔽。
| ID | Mitigation | Description |
|---|---|---|
| M1048 | Application Isolation and Sandboxing |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [3] |
| M1050 | Exploit Protection |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [4] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [5] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion. |
| M1019 | Threat Intelligence Program |
Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. |
| M1051 | Update Software |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
| DS0009 | Process | Process Creation |
Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. |