ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1496

术语表: /attack/glossary

资源劫持

对手可能会利用增补系统的资源,以解决可能影响系统和/或托管服务可用性的资源密集型问题。

资源劫持的一个常见目的是验证加密货币网络的交易并获得虚拟货币。对手可能会消耗足够的系统资源,从而对受影响的计算机造成负面影响和/或使它们失去响应。[1]服务器和基于云的[2]系统是常见的目标,因为可用资源的潜力很大,但是用户端点系统也可能受到威胁,并用于资源劫持和加密货币挖掘。

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

标签

ID编号: T1496

策略: 影响

平台: Linux,macOS,Windows,AWS,GCP,Azure

所需权限: 用户,管理员

数据源: Azure活动日志,Stackdriver日志,AWS CloudTrail日志,网络的流程使用,流程监控,网络协议分析,网络设备日志

影响类型: 可用性

程序示例

名称 描述
APT41 APT41在受害者的环境中部署了Monero加密货币挖掘工具。
Lazarus Group Lazarus Group有像Bluenoroff这样的子集组,他们在受害机器上使用了加密货币挖掘软件。
Name Description
APT41 APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.
Lazarus Group Lazarus Grouphas subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解,因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

考虑监视进程资源使用情况,以确定与恶意劫持计算机资源(例如CPU,内存和图形处理资源)相关的异常活动。监视与加密货币挖掘软件相关联的网络资源的可疑使用。监视本地系统上常见的加密采矿软件进程名称和文件,这些名称和文件可能表明存在泄露和资源使用情况。

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.