adpare
59 lines
4.3 KiB
JSON
59 lines
4.3 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--75c12133-ac56-4cf3-bb09-ef255f02bd49",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
|
|
"created": "2024-03-25T20:16:15.016Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/techniques/T0894",
|
|
"external_id": "T0894"
|
|
},
|
|
{
|
|
"source_name": "GTFO split",
|
|
"description": "GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.",
|
|
"url": "https://gtfobins.github.io/gtfobins/split/"
|
|
},
|
|
{
|
|
"source_name": "LOLBAS Project",
|
|
"description": "Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.",
|
|
"url": "https://github.com/LOLBAS-Project/LOLBAS#criteria"
|
|
},
|
|
{
|
|
"source_name": "split man page",
|
|
"description": "Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) \u2014 Linux manual page. Retrieved March 25, 2022.",
|
|
"url": "https://man7.org/linux/man-pages/man1/split.1.html"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-04-15T19:58:11.559Z",
|
|
"name": "System Binary Proxy Execution",
|
|
"description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)\n\nAdversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. \n\nAdversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary\u2019s execution.\n\n",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-ics-attack",
|
|
"phase_name": "evasion"
|
|
}
|
|
],
|
|
"x_mitre_attack_spec_version": "3.2.0",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_domains": [
|
|
"ics-attack"
|
|
],
|
|
"x_mitre_is_subtechnique": false,
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_platforms": [
|
|
"None"
|
|
],
|
|
"x_mitre_version": "1.0"
|
|
}
|
|
]
|
|
} |