adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf0ae0abb5c31e857ca642dcf1c2bf8eadf3f767
cti/enterprise-attack/attack-pattern/attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302.json
T
John Wunder bf0ae0abb5 content from the Jan 16, 2018 update
2018-01-17 16:00:03 -05:00

68 lines
4.1 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--534a9dbd-e6ff-45cc-b529-e6b5243db551",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31T21:31:33.499Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Regsvcs/Regasm",
"description": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nAdversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: SubTee GitHub All The Things Application Whitelisting Bypass)\n\nDetection: Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.\n\nPlatforms: Windows\n\nData Sources: Process monitoring, Process command-line parameters\n\nDefense Bypassed: Process whitelisting\n\nPermissions Required: User, Administrator\n\nRemote Support: No\n\nContributors: Casey Smith",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/wiki/Technique/T1121",
"external_id": "T1121"
},
{
"source_name": "MSDN Regsvcs",
"description": "Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.",
"url": "https://msdn.microsoft.com/en-us/library/04za0hca.aspx"
},
{
"source_name": "MSDN Regasm",
"description": "Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.",
"url": "https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx"
},
{
"source_name": "SubTee GitHub All The Things Application Whitelisting Bypass",
"description": "[ Smith, C. (2016, August 17). Includes 5 Known Application Whitelisting/ Application Control Bypass Techniques in One File. Retrieved June 30, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Casey Smith"
],
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
"x_mitre_defense_bypassed": [
"Process whitelisting"
],
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": false
}
]
}
Reference in New Issue View Git Blame Copy Permalink