译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。
数据来源:ATT&CK Matrices
原文: https://attack.mitre.org/techniques/T1500
术语表: /attack/glossary
攻击者可能试图通过将文件作为未编译的代码传递给受害者,从而使有效载荷难以发现和分析。与模糊文件或信息(T1027)相似,基于文本的源代码文件可能会破坏针对可执行文件/二进制文件的保护措施的分析和审查。这些有效负载将需要在执行之前进行编译;通常通过本机实用程序,例如csc.exe或GCC/MinGW。
源代码有效载荷也可以被加密,编码和/或嵌入在其他文件中,例如作为鱼叉式附件(T1193)交付的文件。有效载荷也可能以无法识别的格式传递给本机OS(例如,macOS/Linux上的EXE),本质上是良性的,然后再通过捆绑的编译器和执行框架(重新)编译为适当的可执行二进制文件。
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information(1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Spearphishing Attachment(T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.
名称 | 描述 |
---|---|
Cardinal RAT(S0348) | Cardinal RAT(S0348) 及其看门狗组件作为嵌入式未编译的源代码交付给受害者后,便会进行编译和执行。 |
MuddyWater(G0069) | MuddyWater(G0069) 已使用.NET csc.exe工具从下载的C#代码编译可执行文件。 |
Name | Description |
---|---|
Cardinal RAT(S0348) | Cardinal RAT(S0348) and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code. |
MuddyWater(G0069) | MuddyWater(G0069) has used the .NET csc.exe tool to compile executables from downloaded C# code. |
这种攻击技术无法通过预防性控制轻松缓解,因为它基于滥用系统功能。
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
检测常见编译器(例如csc.exe和GCC/MinGW)的执行文件路径和命令行参数,并与其他可疑行为相关联,以减少来自正常用户和管理员行为的误报。有效载荷的汇编还可生成文件创建和/或文件写入事件。寻找非本机二进制格式以及跨平台的编译器和执行框架(如Mono),并确定它们在系统上是否具有合法用途。通常,这些仅应在特定和有限的情况下使用,例如用于软件开发。
Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.