ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary



对手可能会更改用于显示数据的应用程序二进制文件,以引起运行时操纵。对手也可能会进行“ 更改默认文件关联”和“ 伪装”,以产生类似的效果。修改的类型及其影响取决于目标应用程序和过程以及对手的目标和目的。对于复杂的系统,对手可能需要特殊的专业知识,并且可能需要访问与该系统相关的专用软件,这通常是通过长时间的信息收集活动来获得的,以产生所需的影响。

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct Change Default File Association and Masquerading to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.


ID编号: T1494

策略: 影响

平台: Linux,macOS,Windows


数据源: 文件监视,过程监视

影响类型: 完整性


名称 描述
APT38 (G0082) APT38在访问PDF数据时使用DYEPACK.FOX来处理它,以从显示给最终用户的数据中删除欺诈性SWIFT交易的痕迹。
Name Description
APT38(G0082) APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user. [1]


缓解 描述
网络细分(M1030) 确定对手可能针对的关键业务和系统流程,并努力隔离和保护这些系统,防止未经授权的访问和篡改。
限制文件和目录权限(M1022) 防止替换,覆盖或重新配置关键的业务和系统流程以加载潜在的恶意代码。
Mitigation Description
Network Segmentation(M1030) Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering.
Restrict File and Directory Permissions(M1022) Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.



Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values.