ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1149

术语表: /attack/glossary

LC_MAIN劫持

从OS X 10.8开始,mach-O二进制文件引入了一个名为LC_MAIN的新头文件,该头文件指向二进制文件的执行入口。以前,有两个标头可实现相同的效果:LC_THREAD和LC_UNIXTHREAD。二进制文件的入口点可以被劫持,从而使初始执行流到恶意添加项(另一个部分或代码入口),然后返回到初始入口点,以使受害者不知道有什么不同。通过以这种方式修改二进制文件,可以绕过应用程序白名单,因为文件名或应用程序路径仍然相同。

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different . By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

标签

ID编号: T1149

策略: 绕过防御

平台: macOS

所需权限: user,administrator

数据源: Binary file metadata, Malware reverse engineering, Process monitoring

绕过防御: 应用程序白名单,进程白名单,按文件名或路径进行白名单

缓解措施

减轻 描述
代码签名 (M1045) 对所有应用程序上的签名代码强制使用有效的数字签名,并且仅使用来自受信任方签名的信任应用程序。
Mitigation Description
Code Signing ( M1045) Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

检测

确定二进制文件的原始入口点很困难,但是校验和和签名验证是非常可能的。修改LC_MAIN入口点或添加其他LC_MAIN入口点会使文件签名无效,并且可以检测到。收集正在运行的进程信息,并与已知的应用程序进行比较以查找可疑行为。

Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.