ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1494

术语表: /attack/glossary

运行时数据处理

攻击者可能会修改系统,以便在数据被访问并显示给最终用户时对其进行处理。通过操纵运行时数据,对手可能会尝试影响业务流程,组织理解和决策。

对手可能会更改用于显示数据的应用程序二进制文件,以引起运行时操纵。对手也可能会进行“ 更改默认文件关联”和“ 伪装”,以产生类似的效果。修改的类型及其影响取决于目标应用程序和过程以及对手的目标和目的。对于复杂的系统,对手可能需要特殊的专业知识,并且可能需要访问与该系统相关的专用软件,这通常是通过长时间的信息收集活动来获得的,以产生所需的影响。

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct Change Default File Association and Masquerading to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

标签

ID编号: T1494

策略: 影响

平台: Linux,macOS,Windows

所需权限:user,administrator,root,SYSTEM

数据源: 文件监视,过程监视

影响类型: 完整性

程序示例

名称 描述
APT38 (G0082) APT38在访问PDF数据时使用DYEPACK.FOX来处理它,以从显示给最终用户的数据中删除欺诈性SWIFT交易的痕迹。
Name Description
APT38(G0082) APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user. [1]

缓解措施

缓解 描述
网络细分(M1030) 确定对手可能针对的关键业务和系统流程,并努力隔离和保护这些系统,防止未经授权的访问和篡改。
限制文件和目录权限(M1022) 防止替换,覆盖或重新配置关键的业务和系统流程以加载潜在的恶意代码。
Mitigation Description
Network Segmentation(M1030) Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering.
Restrict File and Directory Permissions(M1022) Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.

检测

检查重要的应用程序二进制文件哈希,位置和修改是否可疑/意外值。

Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values.