ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1529

术语表: /attack/glossary

系统关机/重启

攻击者可以关闭/重启系统,以中断对这些系统的访问或帮助破坏这些系统。操作系统可能包含用于启动计算机关闭/重新引导的命令。在某些情况下,这些命令还可用于启动远程计算机的关闭/重新启动。关闭或重新启动系统可能会干扰合法用户对计算机资源的访问。

攻击者可能会以其他方式(例如磁盘结构擦除或禁止系统恢复)影响系统后,尝试关闭/重新引导系统,以加快对系统可用性的预期影响。

System Shutdown/Reboot

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability

标签

ID编号: T1529

策略: 影响

平台: Linux,macOS,Windows

所需权限: user,administrator,root,SYSTEM

数据源: Windows事件日志,进程命令行参数,进程监视

影响类型: 可用性

程序示例

名称 描述
APT37 (G0067) APT37使用了恶意软件,该恶意软件会shutdown /r/t 1在擦除MBR后发出命令以重新引导系统。
APT38 (G0082) APT38使用了一个名为BOOTWRECK的自定义MBR抽头,它将在擦除受害者的MBR之后启动系统重启。
Lazarus Group (G0032) Lazarus Group在销毁文件并清除了受感染系统上的MBR之后已重新启动系统。
LockerGoga (S0372) 已经发现LockerGoga关闭了受感染的系统。
NotPetya (S0368) 感染一小时后,NotPetya将重新启动系统。
Olympic Destroyer (S0365) 在完成系统配置设置的修改后,Olympic Destroyer将关闭受感染的系统。
Name Description
APT37 (G0067) APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.
APT38 (G0082) APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.
Lazarus Group (G0032) Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.
LockerGoga (S0372) LockerGoga has been observed shutting down infected systems.
NotPetya (S0368) NotPetya (S0368)will reboot the system one hour after infection.
Olympic Destroyer (S0365)Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解,因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

使用进程监视来监视与关闭或重新引导系统有关的二进制文件的执行和命令行参数。Windows事件日志也可以指定与关机/重新启动相关的活动。事件ID 1074和6006。

Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.