ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1161

术语表: /attack/glossary

添加LC_LOAD_DYLIB

Mach-O二进制文件具有一系列标头,这些标头用于在加载二进制文件时执行某些操作。Mach-O二进制文件中的LC_LOAD_DYLIB标头告诉macOS和OS X在执行期间要加载哪些动态库(dylib)。这些可以自组织只要调整到的字段和依赖性的其余部分由被添加到已编译的二进制 。有一些工具可以执行这些更改。任何更改都会使二进制文件上的数字签名无效,因为正在修改二进制文件。攻击者可以通过简单地从二进制文件中删除LC_CODE_SIGNATURE命令来补救此问题,以便在加载时不检查签名。

Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies [1]. There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time

标签

ID编号: T1161

策略: 持久性

平台: macOS

所需权限: user

数据源: 二进制文件元数据,进程监视,进程命令行参数,文件监视

缓解措施

缓解 描述
审计 (M1047) 还可以将二进制文件作为其所需的动态库的基准,如果应用程序需要一个未包含在更新中的新动态库,则应进行调查。
代码签名 (M1045) 强制所有二进制文件由正确的Apple Developer ID签名。
执行预防 (M1038) 通过已知哈希将应用列入白名单。
Mitigation Description
Audit (M1047) Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.
Code Signing (M1045) Enforce that all binaries be signed by the correct Apple Developer IDs.
Execution Prevention (M1038) Whitelist applications via known hashes.

检测

监视进程以发现可能用于修改二进制头的进程。监视文件系统,以了解对应用程序二进制文件的更改以及无效的校验和/签名。与应用程序更新或补丁不匹配的二进制文件更改也非常可疑。

Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.