ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1221

术语表: /attack/glossary

模板注入

Microsoft的Open Office XML(OOXML)规范为Office文档(.docx,xlsx,.pptx)定义了一种基于XML的格式,以替换较旧的二进制格式(.doc,.xls,.ppt)。OOXML文件打包在一起,是由各种XML文件(称为部分)构成的ZIP归档文件,其中包含共同定义文档呈现方式的属性。

零件内的属性可以引用通过在线URL访问的共享公共资源。例如,模板属性引用一个文件,该文件用作预先格式化的文档蓝图,该文件在加载文档时获取。

攻击者可能会滥用该技术来最初隐藏要通过文档执行的恶意代码即Scripting(T1064))。加载到文档中的模板引用可以使恶意有效载荷能够在加载文档时获取并执行。这些文档可以通过其他技术(例如,鱼叉式附件(T1193)和/或污染共享内容)(T1080)进行传递,并且由于没有典型的指示符(VBA宏,脚本等),直到获取了恶意有效载荷之后,才可以避开静态检测。在野外已经看到了一些示例,在这些示例中,模板注入被用来加载包含漏洞的恶意代码。

此技术还可以通过注入SMB / HTTPS(或其他凭据提示)URL并触发身份验证尝试来启用强制身份(T1187)验证。

Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse this technology to initially conceal malicious code to be executed via documents (i.e. Scripting(T1064). Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Spearphishing Attachment (T1193) and/or Taint Shared Content]T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.

This technique may also enable Forced Authentication (T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt

标签

ID编号: T1221

策略:绕过防御

平台: Windows

所需权限: user

数据源: 防病毒,电子邮件网关,网络入侵检测系统,Web日志

绕过防御: 静态文件分析

程序示例

名称 描述
APT28 (G0007) APT28 (G0007) 使用武器化的Microsoft Word文档滥用远程模板功能来检索恶意宏。
DarkHydrus(G0079) DarkHydrus(G0079)使用开源工具Phishery将恶意的远程模板URL注入Microsoft Word文档,然后将其发送给受害者以启用“ 强制身份验证”(T1187)。
Dragonfly 2.0(G0074) Dragonfly 2.0(G0074)已将SMB URL注入恶意的Word鱼叉式钓鱼附件中,以启动强制身份验证(T1187)。
Tropic Trooper(G0081) Tropic Trooper(G0081)交付了带有XLSX扩展名的恶意文档,通常由OpenXML文档使用,但该文件本身实际上是OLE(XLS)文档。
Name Description
APT28 (G0007) APT28 (G0007) used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro.
DarkHydrus(G0079) DarkHydrus(G0079)used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication(T1187).
Dragonfly 2.0(G0074) Dragonfly 2.0(G0074) has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication(T1187).
Tropic Trooper(G0081) Tropic Trooper(G0081)delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) docu

缓解措施

缓解 描述
防病毒/反恶意软件 (M1049) 可以采用网络/主机入侵防御系统,防病毒和引爆室来防止文档获取和/或执行恶意有效载荷。
禁用或删除功能或程序 (M1042) 考虑禁用Microsoft Office宏/活动内容,以防止执行文档中的恶意有效内容,尽管此设置可能无法减轻此技术的强制身份验证(T1187)使用。
网络入侵防护 (M1031) 可以采用网络/主机入侵防御系统,防病毒和引爆室来防止文档获取和/或执行恶意有效载荷。
用户培训 (M1017) 培训用户识别社交工程技术和电子邮件伪造。
Mitigation Description
Antivirus/Antimalware M1049) Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.
Disable or Remove Feature or Program (M1042) Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents, though this setting may not mitigate the Forced Authentication(T1187) use for this technique.
Network Intrusion Prevention (M1031) Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.
User Training (M1017) Train users to identify social engineering techniques and spearphishing emails.

检测

分析进程行为,以确定Office应用程序是否正在执行某些操作,例如打开网络连接,读取文件,产生异常的子进程(例如PowerShell (T1086))或s其他可能与入侵后行为相关的可疑操作。

Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell (T1086)), or other suspicious actions that could relate to post-compromise behavior.