污染共享内容指攻击者通过篡改网络共享存储中的文件实施恶意代码传播,利用用户对共享资源的信任实现横向移动。这些共享位置通常用于团队协作和文件共享,一旦恶意程序、脚本或利用代码被加入其中,攻击者就可以通过共享的文件传播其恶意代码。一旦用户打开这些受污染的共享文件,嵌入的恶意代码便会被执行,从而在远程系统上运行攻击者的代码。此外,攻击者可能利用此技术实现横向移动,将恶意活动扩展到更多的系统中,进一步深入内部网络。传统防御手段主要依赖文件完整性监控、异常进程检测及静态特征扫描,通过分析文件修改模式(如大量覆盖操作)、检测非常规文件类型(如异常.LNK文件)等手段识别攻击。
匿迹技术的演进导致传统基于文件哈希、静态规则的安全防护体系面临严峻挑战,防御方需构建开发运维全流程的威胁狩猎能力,实施动态行为基线分析,并引入代码语义级检测、跨版本变更追踪等新型防护手段,实现对深度隐蔽污染攻击的有效遏制。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ❌ |
| 时空释痕 | ✅ |
攻击者通过文件结构仿生与业务流程融合实现深度伪装,使恶意文件与合法文件在静态检测层面难以区分,这种基于结构仿真的伪装手法有效规避了传统特征匹配检测。攻击者可以采用多层加密和隐写技术保护恶意代码,如利用文档元数据隐写技术,使得被污染文件在静态检查中呈现合法属性。
攻击者可以采取分散写入的策略,在多个时间段内向共享目录中逐步添加恶意代码,使得攻击者的操作在时间和空间上被分散,从而稀释了行为的集中性,避免防御系统对大量写入行为的检测,通过长期潜伏与分散触发破坏攻击连续性。
| ID | Name | Description |
|---|---|---|
| G0060 | BRONZE BUTLER |
BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share.[1] |
| G1021 | Cinnamon Tempest |
Cinnamon Tempest has deployed ransomware from a batch file in a network share.[2] |
| S0575 | Conti |
Conti can spread itself by infecting other remote machines via network shared drives.[3][4] |
| G0012 | Darkhotel |
Darkhotel used a virus that propagates by infecting executables stored on shared drives.[5] |
| G0047 | Gamaredon Group |
Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.[6] |
| S0132 | H1N1 | |
| S0260 | InvisiMole |
InvisiMole can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network.[8] |
| S0133 | Miner-C |
Miner-C copies itself into the public folder of Network Attached Storage (NAS) devices and infects new victims who open the file.[9] |
| S0458 | Ramsay |
Ramsay can spread itself by infecting other portable executable files on networks shared drives.[10] |
| G1039 | RedCurl |
RedCurl has placed modified LNK files on network drives for lateral movement.[11][12] |
| S0603 | Stuxnet |
Stuxnet infects remote servers via network shares and by infecting WinCC database views with malicious code.[13] |
| S0386 | Ursnif |
Ursnif has copied itself to and infected files in network drives for propagation.[14][15] |
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically quarantine suspicious files.[16] |
| M1038 | Execution Prevention |
Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using application control [17] tools, like AppLocker, [18] [19] or Software Restriction Policies [20] where appropriate. [21] |
| M1050 | Exploit Protection |
Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET). |
| M1022 | Restrict File and Directory Permissions |
Protect shared folders by minimizing users who have write access. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0022 | File | File Creation |
Monitor for newly constructed files from files that write or overwrite many files to a network shared directory may be suspicious. |
| File Modification |
Monitor for files that write or overwrite many files to a network shared directory may be suspicious. |
||
| DS0033 | Network Share | Network Share Access |
Monitor for unexpected and abnormal accesses to network shares, especially those also associated with file activity. |
| DS0009 | Process | Process Creation |
Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques. |