译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。
数据来源:ATT&CK Matrices
原文: https://attack.mitre.org/techniques/T1149
术语表: /attack/glossary
从OS X 10.8开始,mach-O二进制文件引入了一个名为LC_MAIN的新头文件,该头文件指向二进制文件的执行入口。以前,有两个标头可实现相同的效果:LC_THREAD和LC_UNIXTHREAD。二进制文件的入口点可以被劫持,从而使初始执行流到恶意添加项(另一个部分或代码入口),然后返回到初始入口点,以使受害者不知道有什么不同。通过以这种方式修改二进制文件,可以绕过应用程序白名单,因为文件名或应用程序路径仍然相同。
As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different . By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.
ID编号: T1149
策略: 绕过防御
平台: macOS
所需权限: user,administrator
数据源: Binary file metadata, Malware reverse engineering, Process monitoring
绕过防御: 应用程序白名单,进程白名单,按文件名或路径进行白名单
减轻 | 描述 |
---|---|
代码签名 (M1045) | 对所有应用程序上的签名代码强制使用有效的数字签名,并且仅使用来自受信任方签名的信任应用程序。 |
Mitigation | Description |
---|---|
Code Signing ( M1045) | Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties. |
确定二进制文件的原始入口点很困难,但是校验和和签名验证是非常可能的。修改LC_MAIN入口点或添加其他LC_MAIN入口点会使文件签名无效,并且可以检测到。收集正在运行的进程信息,并与已知的应用程序进行比较以查找可疑行为。
Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.