Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1546 | Event Triggered Execution |
Comments
Intel Threat Detection Technology (TDT) and CrowdStrike Falcon Accelerated Memory Scanning (CAMS): Defending Against System, Owner, User, and Network Information Discovery Attacks
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of System, Owner, User, and Network Information Discovery attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
System, Owner, User, and Network Information Discovery attacks involve adversaries attempting to collect detailed information about the system they’ve infiltrated. Attackers gather data about the operating system, local users, network configurations, system owner, active connections, and network shares. This information is typically used to plan further exploitation, lateral movement, and privilege escalation within the target network. By querying system properties, user accounts, and network settings, attackers gain the intelligence necessary for executing advanced attacks. Intel TDT plays a crucial role by providing real-time telemetry on program execution, memory access, and control flow, enabling quick detection of abnormal activities like unauthorized information gathering from system and network resources.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of suspicious activity without negatively impacting system performance. CAMS is capable of identifying the unauthorized collection of system, user, or network-related data, helping to detect when attackers are gathering intelligence for the purpose of launching further attacks.
References
|