Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.[1]
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ❌ |
| 时空释痕 | ✅ |
攻击者通过精确仿制合法组件的数字签名、文件结构和加载流程,使恶意组件在文件属性、注册表项等静态特征层面与正常组件完全一致。例如在服务配置镜像劫持中,恶意代理组件保留原始数字证书并复现合法模块的导出函数表,使得基于文件哈希或接口扫描的检测手段失效。
通过利用服务器软件的未公开扩展接口或零日漏洞加载恶意组件,使得组件安装过程不触发常规的安全审计机制。例如借助内存驻留式组件注入技术规避基于内存特征扫描的检测,或通过组件功能链式分解技术实现功能拆解,使单个组件难以被检测,防御方无法通过标准监控手段感知组件加载行为。
通过动态加载策略减少恶意组件的运行频率和活动显著性,使得这些组件的活动更加分散和难以捕捉,将恶意组件激活周期与服务器业务高峰时段同步,例如仅在每日定时备份任务执行期间运行数据窃取模块。这种时序伪装使得组件运行时长占比与正常后台服务相当,规避基于进程运行时间阈值的异常检测。
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. |
| M1045 | Code Signing |
Ensure all application component binaries are signed by the correct application developers. |
| M1042 | Disable or Remove Feature or Program |
Consider disabling software components from servers when possible to prevent abuse by adversaries.[2] |
| M1026 | Privileged Account Management |
Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
| M1024 | Restrict Registry Permissions |
Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.[3] |
| M1018 | User Account Management |
Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.[4] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse legitimate extensible development features of servers to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [5] |
| DS0022 | File | File Creation |
Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. |
| File Modification |
Monitor for changes made to files that may abuse legitimate extensible development features of servers to establish persistent access to systems. |
||
| DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). [5] |
| Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
||
| DS0009 | Process | Process Creation |
Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. |