Geekly Articles each Day
📜 ⬆️ ⬇️

We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 4

Privilege Escalation


Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)

Privilege escalation is the result of actions that allow an attacker or malicious program to obtain a higher level of permissions in the attacked system or network. Privilege escalation techniques describe the methods by which an adversary, having gained unprivileged access to the system under attack, using various "weaknesses" of the system, can gain local administrative, system or root rights. The use of user accounts by attackers with access rights to specific systems or permissions to perform certain operations can also be considered an escalation of privileges.

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of the content of MITER ATT & CK .

It is important to cancel that some of the techniques described in the ATT @ CK matrix are simultaneously included in several stages of the attack chain, for example, interception of a DLL search can be used both to secure access by unauthorized execution of a malicious DLL, and to increase privileges by running a DLL in the process running in the context of a more privileged user.
')

Access Token Manipulation Manipulations


System: Windows
Rights: User, Administrator
Description: Attackers can use access tokens (Access Token) to perform their actions in various user or system security contexts, thus avoiding the detection of malicious activity. An adversary can use the Windows API functions to copy access tokens from existing processes (Token stealing), for this it must be in the context of a privileged user (for example, an administrator). Theft of access tokens is typically used to elevate privileges from administrator level to System level. An adversary can also use the account access token to authenticate the remote system if the account has the necessary permissions on the remote system.
Consider several ways to abuse access tokens:

Protection recommendations: In order to fully use the tactics described above, an attacker must have system administrator rights, so do not forget to limit the privileges of ordinary users. Any user can trick access tokens if they have valid credentials. Restrict the ability of users and groups to create access tokens:
GPO: Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Create a token object
Also determine who can replace local or network service process tokens:
GPO: Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Replace a process level token

Modifying the executable files of applications "special features Windows" (Accessibility Features)


System: Windows
Rights: Administrator
Description: "special features" applications (screen magnifier, on-screen keyboard, etc.) can be launched using keyboard shortcuts before the user logs into the system. An attacker can spoof the startup files of these programs or change the way they are launched and open the command console or get a backdoor without logging in.

In WinXP and later versions, sethc.exe and utilman.exe can be replaced, for example, with cmd.exe, and later, when you press the necessary cmd.exe key combination, start up before entering Windows with System privileges.
In Vista and later versions, you need to change the registry key that configures cmd.exe or another program as a debugger, for example, for ultiman.exe. After editing the registry and pressing the desired key combination on the login screen or when connecting to the host via RDP, cmd.exe will execute with System privileges.
There are also Windows programs that can be used when implementing this attack technique:

Security Recommendations: Configure the launch of the mandatory network authentication of remote users before creating an RDP session and displaying the login screen ( enabled by default in Windows Vista and later versions ). Use Remote Desktop Gateway to manage connections and RDP security settings.

Key modification AppCert DLLs


System: Windows
Rights: Administrator, System
Description: The DLLs specified in the AppCertDLLs key value are loaded into each process that calls commonly used API functions: CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, WinExec . The value of the AppCertDLLs key can be abused by triggering the loading of a malicious DLL and running certain processes. AppCertDLLs is stored in the following registry key:
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Session Manager .

Security Tips : Use all sorts of tools to block potentially dangerous software and download unknown DLLs, such as AppLocker and DeviceGuard.

Key modification AppInit DLLs


System: Windows
Rights: Administrator, System
Description: The DLLs specified in the AppInit_DLLs key value are loaded into each process that loads user32.dll. In practice, this is almost every program.
AppInit_DLLs is stored in the following registry keys:

The value of the AppInit_DLLs key can be abused to exceed privileges by loading malicious DLLs and running certain processes. AppInit_DLLs functionality is disabled in Windows 8 and later versions when secure boot is activated.

Security Tips: Consider using OS no earlier than Windows 8 and enabling secure boot. Use all sorts of tools to block potentially dangerous software and download unknown DLL libraries, such as AppLocker and DeviceGuard.

Abuse of Application Compatibility Subsystem (Application Shimming)


System: Windows
Rights: Administrator
Description: Microsoft Windows Application Compatibility Infrastructure / Framework is designed to ensure software compatibility with Windows updates and OS code changes. The compatibility system uses the so-called shim (“shims”) - libraries that act as a buffer between the program and the OS. Using the shim cache, the system determines whether it is necessary to use shim pads (stored in the form of a database of the .sdb type). The .sdb files store various procedures for intercepting application code, processing it, and further redirecting to the OS. The list of all shims installed by the installer (sdbinst.exe) is stored by default in:

Custom shim bases are stored in:

To ensure protection in user mode, the possibility of changing the OS kernel using shim pads is excluded, and administrator rights are required to install them. However, some shim pads can be used to bypass User Account Control (UAC), DLL injection, disable Data Execution Prevention and Srtucture Exception Handling , as well as intercept memory addresses. The use of shim-pads by an attacker allows you to elevate privileges, install backdoors, disable OS protection, such as Windows Defender.

Security Tips : There are not many ways to prevent Application shiming. Disabling application compatibility is not recommended to avoid OS stability issues. Microsoft has released KB3045645 , which will remove the "auto-elevate" flag in the sdbinst.exe file to prevent the use of a shim system to bypass UAC.

Bypass User Account Control


System: Windows
Rights: User, Administrator
Description: There are many ways to circumvent UAC, the most common of which are implemented in the UACMe project. New ways of circumventing UAC are regularly detected, similar to the abuse of the eventvwr.exe system application, which can execute a binary file or script with elevated privileges. Malicious programs can also be embedded in trusted processes, with which UAC allows privilege escalation without prompting the user.
To bypass UAC using eventvwr.exe in the Windows registry, the key is modified:
[HKEY_CURRENT_USER] \ Software \ Classes \ mscfile \ shell \ open \ command .
To bypass UAC using sdclt.exe, the keys in the Windows registry are modified:
[HKEY_CURRENT_USER] \ Software \ Microsoft \ Windows \ CurrentVersion \ App Paths \ control.exe;
[HKEY_CURRENT_USER] \ Software \ Classes \ exefile \ shell \ runas \ command \ isolatedCommand.

Security Tips : Remove users from the local Administrators group on the protected systems. If possible, enable the highest level of protection in the UAC settings.

DLL search interception (DLL Search Order Hijacking)


System: Windows
Rights: User, Administrator, System
Description: The technique is to exploit the vulnerabilities of the application's search algorithm for the DLL files they need to work ( MSA2269637 ). Often, the DLL search directory is the working directory of the program, so attackers can replace the original DLL with a malicious one with the same file name.
Remote attacks on DLL search can be carried out when the program installs its current directory in a remote directory, for example, a network share. Also, attackers can directly change the way the DLL is searched and loaded by replacing the .manifest or .local files that describe the DLL search parameters. If the attacked program works with high privileges, then the malicious DLL loaded by it will also be executed with high rights. In this case, the technique can be used to elevate privileges from the user to the administrator or System.

Security Tips: Disable remote boot DLL (enabled by default in Windows Server 2012+ and is available with updates for XP + and Server 2003+). Enable the secure search mode of the DLL, which will limit the search directories to directories such as % SYSTEMROOT% before performing a DLL search in the current application directory.
Enable Secure Search DLL:
Computer Configuration> [Policies]> Administrative Templates> MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.
Corresponding registry key:
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SafeDLLSearchMode.

Consider the feasibility of auditing the protected system to eliminate DLL weaknesses using tools such as the PowerUP module in PowerSploit. Do not forget about blocking malicious and potentially dangerous software, as well as the implementation of Microsoft recommendations .

Dylib Hijacking interception


System: macOS
Rights: User
Description: The technique is based on the vulnerabilities of dylib dynamic library search algorithms on macOS and OS X. The bottom line is the definition of dylib, which loads the attacked application and the subsequent placement of the malicious version of dylib with the same name in the working directory of the application. This will cause the dylib application to load, which is located in the working directory of the program. In this case, the malicious Dylib will be executed with the access rights of the attacked application.

Security Tips : Prevent users from writing files to dylib search directories. Vulnerability auditing with Objective-See Dylib Hijacking Scanner .

Exploitation for Privilege Escalation


System: Windows, Linux, macOS
Rights: User
Description: Opponents can elevate privileges in the attacked system by exploiting software vulnerabilities.

Protection recommendations: Regular software updates on all protected workstations, servers, network equipment and other devices connected to the protected network. Analyze the types of threats, vulnerabilities, and exploits that can be used against the protected organization. It is also recommended to use systems for protection against exploits, for example, Windows Defender Exploit Guard (WDEG) for Windows 10 or Enhanced Mitigation Experience Tool Tool (EMET) for earlier versions of Windows.

h3 EWM injection (Extra Window Memory Injection)
System: Windows
Rights: Administrator, System
Description: The technique is the abuse of additional Windows memory, the so-called Extra Window Memory (EWM). The EWM size is 40 bytes, suitable for storing a 32-bit pointer, and is often used to refer to procedures. Malicious programs during the attack chain can place a pointer to malicious code in EWM, which will then be launched by the process of an infected application.

Protection recommendations: Considering that EWM injection techniques are based on the misuse of OS development features, protection efforts should be directed at preventing the launch of malicious programs and malicious tools. It is good practice to identify and block potentially dangerous software using AppLocker, organizing a white list of applications, or applying Software Restriction Policies software restriction policies.

Lack of permissions at the file system level (File System Permissions Weakness)


System: Windows
Rights: User, Administrator
Description: The essence of the technique lies in the substitution of executable files that are automatically launched by various processes (for example, when the OS boots up or at a certain time, if the rights to executable files are configured incorrectly). After the substitution, the malicious file will be launched with the rights of the process, so if the process has a higher level of access, the attacker will be able to escalate the privileges. As part of this technique, attackers may attempt to manipulate the binary files of Windows services.
Another type of attack is associated with deficiencies in the algorithms of self-extracting installers. During the installation process, installers often unpack various useful files, including .dll and .exe, into the% TEMP% directory, and they may not set the appropriate permissions to restrict access to the unpacked files, which allows attackers to swap files and as a result, increase privileges or bypass account control, because Some installers are run with extended permissions.

Security Tips: Restricting account rights so that only administrators can manage services and interact with the binary files used by the services. Disabling elevation of privileges for standard users in UAC. UAC settings are stored in the following registry key:

To automatically reject requests for elevation of privileges, you need to add a key:

To control the work of installers, you need to add a key:


Interception of Windows API function calls (Hooking)


System: Windows
Rights: Administrator, System
Description: Windows API functions are usually stored in DLLs. The hooking technique is to redirect calls to API functions through:

Like injections, attackers can use hooking to execute malicious code, disguise its execution, access the memory of the attacked process, and elevate privileges. Attackers can capture API calls that include parameters containing authentication data. Hooking is usually used by rootkits to hide malicious activity in the system.

Protection recommendations: Interception of events in the OS is part of the normal operation of the system, so any restriction of this functionality may adversely affect the stability of legitimate applications, such as antivirus software. Efforts to prevent interception techniques need to be focused on the earlier stages of the attack chain. You can detect malicious hooking activity by monitoring calls to the SetWindowsHookEx and SetWinEventHook functions, using rootkit detectors, analyzing anomalous process behavior.

IFEO injection (Image File Execution Options Injection)


System: Windows
Rights: Administrator, System
Description: The Image File Execution Options (IFEO) mechanism allows you to run, instead of a program, its debugger, previously specified by the developer in the registry:

Like injections, the value of [executable] can be abused by running arbitrary code to elevate privileges or gain a foothold in the system. Malicious programs can use IFEO to bypass protection by registering debuggers that redirect and reject various system and security applications.

Protection recommendations: The described technique is based on the abuse of standard OS development tools, so any restrictions may cause instability in the operation of legitimate software, for example, security applications. Efforts to prevent the use of IFEO injections need to be focused on earlier stages of the attack chain. You can detect such an attack by monitoring processes with the flags Debug_process and Debug_only_this_process .

Launch Daemon >


System: macOS
Rights: Administrator
Description: The technique involves the attacker changing the parameters of the services of the system launch level - Launch Daemon, specified in the plist files. When booting the system, the Launchd process loads the parameters of services (daemons) from plist files located in the following directories:

Launch Daemon can be created with administrator privileges, but will run under the root account, so an attacker can implement privilege escalation. The permissions of the plist files must be root: while, however, the script or program specified in it may have less strict permissions. Therefore, an attacker can modify the executable files specified in the plist and, thus, modify the current system services to be fixed in the system or escalation of privileges.

Security Tips : Limit user privileges so that only authorized administrators can create a Launch Daemon. Consider monitoring the creation of plist files on your system using applications such as KnockKnock.

New Services (New Service)


System: Windows
Rights: Administrator, System
Description: Name access to the system, attackers can create new services and configure their automatic start. The service name can be masked using names specific to the operating system. Services can be created with administrator privileges, but run as System. Services can be created from the command line, using remote access tools with interaction functions with the Windows API or using standard Windows management tools and PowerShell.

Security Tips : Restrict the rights of users to create new services so that only authorized administrators can do this. Use AppLocker and Software Restriction Policy .

Path Interception


System: Windows
Rights: User, administrator, system
Description: The technique of intercepting a path consists of placing the executable file in a directory from which the application will launch it instead of the target file. The attacker can use the following methods:

The interception of the file search order is also used to execute a DLL using the Search Hijacking DLL technique.

Security Tips: Highlight the paths specified in the configuration files, scripts, PATH variable, service settings and shortcuts. Remember to search for executable files and use only full paths. Clean up the old registry keys left over from the remote software so that there are no keys in the registry pointing to non-existent files. Set a ban on users to write to the root directory of C: \ and Windows system directories, restrict write permissions to directories with executable files.

Modifying Plist Files (Plist Modification)


System: macOS
Rights: User, Administrator
Description: Criminals can modify plist files by specifying their own code in them to execute it in the context of another user. The plist properties files located in / Library / Preferences run with elevated privileges, and plist from ~ / Library / Preferences run with user privileges.

Security Tips : Prevent plist files from being modified by making them read-only.

Port Monitors modification in Print Manager (Port Monitors)


System: Windows
Rights: Administrator, System
Description: An attacker can organize the execution of an arbitrary DLL on behalf of the System every time Windows boots up using the misuse of the Print Manager settings (Spoolsv.exe). To interact with printing devices, Spoolsv.exe uses the so-called port monitors (port monitor), which are DLLs with which low-level commands are sent to printing devices via LAN, USB, LPT, or COM interfaces. The above DLLs are stored in C: \ windows \ system32 and are registered in the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Print \ Monitors .
Port Monitor can be installed using the AddMonitor API function or directly by editing the above registry key.

Protection recommendations: Arrange blocking of potentially dangerous software and use application launch control tools.

Code Injection into Process (Process Injection), Ten Process Injection Techniques


System: Windows, Linux, macOS
Rights: User, administrator, system, root
Description: Process injection is a method for executing an arbitrary code in the address space of a separate living process. Running code in the context of another process allows access to the memory of the injectable process, system / network resources, and possibly elevated privileges. Process injections can also be used to avoid possible detection of malicious activity by security tools. Techniques for implementing injections into processes are based on the abuse of various mechanisms that ensure the multithreading of program execution in the OS. The following are some approaches to performing code injection into the process.

Windows
• DLL injection. They are performed by recording the path to the malicious DLL inside the process with its subsequent execution by creating a remote thread (Remote thread is a thread that operates in the virtual address space of another process). In other words, the malware writes the DLL to the disk, and then uses a function like CreateRemoteTread, with which the LoadLibrary function will be called in the injectable process.
• PE injections (Portable executable injection) are based on the abuse of the execution features in memory of PE files, such as DLL or EXE. Malicious code is written to the process without writing any files to disk, and then using its additional code or by creating a remote stream, its execution is called.
• Thread execution hijacking includes injection of malicious code or a path to a DLL directly into the process stream. Like the Process Hollowing technique, the flow must first be suspended.
• Injections into asynchronous call procedures (Asynchronous Procedure Call (APC) injection) involve the attachment of malicious code to an APC Queue (APC Queue) process flow. One of the APC injection methods, called “Earle Bird injection”, involves creating a suspended process in which malicious code can be recorded and launched to the process entry point via APC. AtomBombing is another injection option that uses APC to invoke malicious code previously recorded in the Global atom table.
• Injections into the local storage of the stream (Thread Local Storage (TLS) injection) involve manipulating the memory pointers inside the executable PE file to redirect the process to the malicious code.

Mac and Linux
• The system variables LD_RPELOAD, LD_LIBRARY_PATH (Linux), DYLIB_INSERT_LIBRARIES (macOS X) or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) into a process, which in turn can be used to intercept API calls from running processes.
• The Ptrace system call can be used to connect to a running process and change while it is running.
• / proc / [pid] / mem provides access to the process memory and can be used to read / write arbitrary data, but this method is rarely used due to the complexity of its implementation.
• Capturing a VDSO (Virtual dynamic shared object) allows you to inject code during the execution of ELF binaries by manipulating code plugs from linux-vdso.so.
Malicious programs typically use code injection into the process to access system resources, due to which an attacker can gain a foothold in the system and perform other changes in the attacked environment. More complex samples can perform multiple injections of processes to make their detection more difficult.

Protection recommendations:Methods of injecting code into processes are based on the abuse of regular functions of the OS, direct effects on which can lead to unstable operation of legitimate software and security products. Efforts to prevent interception techniques need to be focused on the earlier stages of the attack chain. Use tools to block potentially dangerous software, such as AppLocker. Use Yama as a preventive measure against code injection in ptrace, limiting the use of ptrace to privileged users only. Additional security measures may include the deployment of kernel security modules that provide advanced access control and process restriction. These tools include SELinux, grsecurity, AppArmor.

Injections in SID-history (SID-History Injection)


System: Windows
Permissions: Administrator, system
Description: Whenever an object moves from one domain to another, a new SID is created, which becomes the primary objectSID. The previous SIDs continue to be stored in the sIDHistory property, thus ensuring the preservation of the rights that the object had before the inter-domain migration. Attackers, with administrative rights, can insert previously collected SIDs into SID-History to perform an action on behalf of more privileged access groups or accounts, such as domain administrators.

Protection recommendations:In Windows Server 2003 and later, SID Filtering is enabled by default, which involves deleting or filtering all SIDs other than the trusted domain, but this option can be intentionally disabled to allow cross-domain access.
The main methods of SID filtering are:
• Disabling SIDHistory in the trust settings (trusts) between domain forests using the command: netdom trust / domain: / EnableSIDHistory: no ;
• Apply SID Filter Quarantining . This ensures that an object containing a SID other than the trusted domain cannot authenticate to the trusting domain. SID Filter Quarantining is used for external trusts by running the command:netdom trust / domain: / quarantine: yes .
Using SID Filtering between domains of the same forest is not recommended. If a domain in a forest is unreliable, then it should not be a member of the forest; in such a situation, you must first divide trusted and unreliable domains into separate forests, and then apply SID Filtering for trusts between forests.

Scheduled Task


System: Windows
Permissions: User, Administrator, System
Description: Utilities such as at, schtasks and Windows Task Scheduler can be used to schedule the launch of programs and scripts that will be executed at a specific date and time. The task can be scheduled on the remote system, provided that RPC is used for authentication, and printer and file sharing is enabled. Scheduling tasks on a remote system requires administrative rights. An attacker can use remote code execution to gain System privileges or to launch a process under a specific account.

Protection recommendations:Restriction of user privileges. The use of tools, such as the PowerUP module in PowerSploit, which can be used to find weaknesses in the permissions of scheduled tasks. Disable the ability to launch tasks on behalf of System, disable the Allow server operators to schedule tasks option in the security policy , and enable the User Rights Assignment: Increase scheduling priority option .

Service Registry Permissions Weakness Weakness


System: Windows
Permissions: Administrator, System
Description: If user and group permissions allow you to change key values ​​in the Windows registry that store service settings, then attackers can directly modify the keys that store the paths to the service startup executable files or use various management tools services - sc.exe, PowerShell or Reg. Attackers can also change the parameters associated with the failure of services, for example, FailureCommand, indicating the command that will be executed in case of failure or deliberate damage to the service. Service settings are stored in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services .

Protection recommendations:Make sure that the users of the protected system cannot change the registry keys that store the parameters of the system components. Use various means of blocking potentially dangerous software, for example, Windows AppLocker.

Setuid and Setgid


System: Linux, macOS
Permissions: User
Description:Setuid and Setgid are flags of access rights in Unix-systems that allow the user to run executable files with the rights of the owner or group of the executable file. If the application needs to be run as root, then instead of creating an entry in the sudo file, the user can specify the Setuid or Setgid flag. Opponents can abuse the Setuid and Setgid flags to execute shell escape (reception, when in an console mode any application uses a file opened in another application) or to take advantage of an application vulnerability with the Setuid and Setgid flags and execute code in the context of various users. When viewing file attributes with the ls -l command, the flags described above are indicated by the symbol “s” instead of “x”. The chmod utility can set the Setuid and Setgid flags using the chmod 4777 command [file]or chmod u + s [file] .

Protection recommendations: Keep the number of programs with the Setuid and Setgid flags to a minimum.

Startup Items


System: macOS
Permissions: Administrator
Description: An attacker can use an outdated, but still working in macOS Sierra, application autorun engine using StartupItems to customize the launch of its code as root during the OS boot. StartupItems is the directory in / Library / Startupitems , the command script and the StartupParameters.plist properties file. The script and the properties file should be at the top of the hierarchy: / Library / Startupitems / [MyStartupItem] .

Security Tips : Since the StartupItems mechanism is outdated, prohibiting entries in the / Library / Startupitems / directory will prevent the creation of startup items.

Sudo


System: Linux, macOS
Privileges: User
Description: Opponents can use the sudo configuration flaws to execute commands on behalf of other users or spawn processes with higher privileges. Sudo settings are stored in the / etc / sudoers file, elevated privileges are required to edit this file. The sudoers file describes which commands users can run on behalf of other users or groups, this allows users to work most of the time with minimal privileges and only when necessary, increase privileges. However, in the sudoers file, you can specify users for whom a password will not be requested: username ALL = (ALL) NOPASSWD: ALL .

Security Tips : The sudoers file must be edited so that users always enter a password when running sudo. Linux Auditd can generate a warning whenever a real and effective user ID does not match (this happens when the user uses sudo).

Sudo caching


System: Linux, macOS
Permissions: User
Description: Various malware, such as OCX Proton Malware , can abuse the sudo settings to execute code as root without entering a password. Since the sudo toolkit was created for system administration, it has some useful features such as timestamp_timeout - this parameter stores the amount of time in minutes between running sudo during which the command will not prompt for the root password. Sudo has the ability to cache credentials for some time. The timestamp for the last sudo run is stored in / var / db / sudoand serves to determine the specified timeout. In addition, there is the variable tty_tickets , which processes each new terminal session in isolation, so a timeout in one console instance will not affect the timeout in another instance.

Security Tips: Set the timestamp_timeout = 0 parameter so that the system requires the root password to be entered each time sudo is executed. Enable the tty_tickets parameter to prevent the ability to launch an attack through the command console sessions.

Valid accounts


Description: Attackers can steal credentials of a particular user or service account using access credentials technician, capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. If the script is successfully implemented, attackers can abandon malicious programs to make their detection more difficult. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.

Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.

Web shell


System: Windows, Linux, macOS
Description: The Web Shell can be used by an attacker as an access gateway to your network or redundant access to the system being attacked, as a backup mechanism of attachment in case of detection and blocking of the main access channels to the attacked environment.

Protection recommendations:Make sure that your external web servers are updated regularly and do not have known vulnerabilities that allow attackers to upload a file or script to the server and then execute it. Check that the permissions of the accounts and groups with server management rights do not match the internal network accounts that can be used to log on to the web server, launch the web shell, or pin to the web server. Web Shell is hard to detect because they do not initiate connections and their server part may be small and harmless, for example, the PHP version of the China Chopper Web shell looks like a line:
[? php eval ($ _POST ['password']);]

Source: https://habr.com/ru/post/428602/

More articles:


All Articles