ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1501

术语表: /attack/glossary

系统服务

系统服务可用于在Linux系统上建立持久性。systemd服务管理器通常用于管理后台守护程序进程(也称为服务)和其他系统资源。 Systemd是许多Linux发行版中的默认初始化(init)系统,从Debian 8,Ubuntu 15.04,CentOS 7,RHEL 7,Fedora 15开始,它取代了包括SysVinit和Upstart的旧式初始化系统,同时保持了向后兼容。前述的初始化系统。

Systemd利用称为服务单元的配置文件来控制服务的启动方式和条件。默认情况下,这些单位文件存储在/etc/systemd/system/usr/lib/systemd/system目录中,文件扩展名为.service。每个服务单元文件可能包含许多可执行系统命令的指令。

  • ExecStart,ExecStartPre和ExecStartPost指令涵盖了当通过“ systemctl”手动启动服务时或在将服务设置为自动启动时在系统启动时执行命令的情况。
  • ExecReload指令涵盖了服务重新启动的时间。
  • ExecStop和ExecStopPost指令涵盖何时停止服务或由“ systemctl”手动停止服务。

攻击者已使用systemd功能通过创建和/或修改服务单元文件来建立对受害系统的持久访问,这些服务单元文件使systemd以周期性间隔(例如系统启动)执行恶意命令。

对手通常需要root特权才能在/目录中创建/修改服务单元文件,/etc/systemd/system/usr/lib/systemd/system低特权用户可以在目录中创建/修改服务单元文件,~/.config/systemd/user/以实现用户级的持久性。

Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.

Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands.

  • ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
  • ExecReload directive covers when a service restarts.
  • ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.

Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.

While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can cre

标签

ID编号: T1501

策略: 持久性

台: Linux

所需权限: root,user

数据源: 进程命令行参数,进程监视,文件监视

程序示例

名称 描述
Exaramel for Linux(S0401) Exaramel for Linux(S0401)在systemd下有一个硬编码的位置,如果它以root身份运行,则可用来实现持久性。
Fysbis(S0410) Fysbis(S0410)使用系统服务建立了持久性
Pupy(S0192) Pupy(S0192)可用于使用systemd服务建立持久性。
Name Description
Exaramel for Linux(S0401) Exaramel for Linux(S0401) has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.
Fysbis(S0410) Fysbis(S0410)) has established persistence using a systemd service.
Pupy(S0192) Pupy(S0192) can be used to establish persistence using a systemd service.

缓解措施

缓解 描述
限制软件安装 (M1033) 仅将软件安装限制在受信任的存储库中,并注意孤立的软件包。
特权账户管理(M1026) systemd服务单元文件的创建和修改通常保留给管理员,例如Linux超级用户和具有超级用户特权的其他用户。
限制文件和目录权限(M1022) 将对systemd单元文件的读/写访问限制为仅选择有合法需要管理系统服务的特权用户。
用户帐号管理(M1018) 将用户对系统实用程序(例如“ systemctl”)的访问权限限制为仅具有合法需要的用户。
Mitigation Description
Limit Software Installation (M1033) Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
Privileged Account Management (M1026) The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.
Restrict File and Directory Permissions(M1022) Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.
User Account Management(M1018) Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.

检测

Systemd服务单元文件可以通过审计文件创建和修改事件中被检测到/etc/systemd/system/usr/lib/systemd/system/和目录,以及相关的符号链接。以这种方式生成的可疑进程或脚本将具有“ systemd”的父进程,其父进程ID为1,通常将以“ root”用户身份执行。/home//.config/systemd/user/

还可以通过将结果与可信系统基准进行比较来识别可疑的系统服务。可以通过使用systemctl实用工具检查系统范围的服务来检测恶意的系统服务:systemctl list-units -–type=service –all。分析.service文件系统上存在的文件内容,并确保它们引用合法的预期可执行文件。

审核'systemctl'实用程序以及诸如之类的相关实用程序的执行和命令行参数/usr/sbin/service可能会揭示恶意的systemd服务执行。

Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.

Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.