创建或修改系统进程是攻击者通过操作操作系统级服务、守护进程或代理程序实现持久化驻留和权限提升的关键技术。攻击者可能安装新服务或篡改现有服务配置,使其在系统启动时或定期执行恶意负载。传统防御主要依赖监控服务配置变更(如Windows注册表Services子键)、检测异常进程树结构、分析服务二进制文件特征,以及审查服务相关命令行调用日志等手段。
为规避传统检测机制,攻击者发展出高度隐蔽的进程操纵技术,通过内存化执行、动态伪装和深度寄生等手法,将恶意服务融入操作系统核心组件运行框架,构建难以通过常规手段识别的持久化攻击链。
当前系统进程匿迹技术的共性在于突破传统"文件-进程"对应关系,重构恶意服务的存储形态与运行模式:合法进程代码寄生注入技术消解了独立恶意进程的存在性,通过宿主进程的资源复用实现"零特征"驻留;动态服务配置伪装技术构建了服务元数据的动态混淆能力,使恶意服务在配置审计层面呈现合法特征;无文件化内存驻留服务技术则彻底摆脱磁盘存储依赖,在内存维度构建完整的服务运行生态。三类技术的核心创新均围绕"去实体化"与"环境拟态"展开,通过深度利用操作系统底层机制,使恶意服务在创建、加载、运行各阶段均符合系统合法性校验规则,同时规避基于特征匹配的静态检测。特别是内存级攻击技术的成熟,标志着系统进程对抗进入"无实体化"阶段,传统基于文件监控的防御体系面临根本性挑战。
匿迹技术的演进迫使防御体系向内存行为分析、运行时完整性校验等深度检测方向转型。需构建基于硬件虚拟化的内存监控能力,开发服务行为动态基线模型,并强化服务组件间的信任链验证机制,方能有效应对新型隐蔽进程威胁。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过深度仿冒合法服务特征实现伪装,包括动态生成符合目标环境命名规范的服务名称、伪造数字签名信息、复用系统核心进程资源等。例如将恶意服务配置信息与系统原生服务采用相同的描述模板,使得服务枚举工具无法通过文本特征识别异常,实现攻击载荷的"白名单化"隐匿。
在无文件化内存驻留技术中,恶意服务的配置数据和执行代码完全存储于加密内存区域,采用反内存转储技术阻止关键数据提取。部分高级实现会通过TLS加密通道传输配置信息,或使用即时编译(JIT)技术动态生成执行代码,使得传统基于磁盘取证或内存特征扫描的检测手段失效。
攻击者采用低频触发和条件激活机制,使恶意服务仅在特定系统事件(如网络断开、屏保启动)或时间窗口(如每月首个工作日)执行攻击载荷。通过将恶意行为分散在长周期内,并关联正常系统活动节奏,显著降低单位时间内的可检测特征浓度,规避基于行为频率的异常检测模型。
| ID | Name | Description |
|---|---|---|
| S0401 | Exaramel for Linux |
Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.[1] |
| S1152 | IMAPLoader |
IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification.[2] |
| S1121 | LITTLELAMB.WOOLTEA |
LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background.[3] |
| S1142 | LunarMail |
LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. |
| M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.[5] On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.[6] |
| M1045 | Code Signing |
Enforce registration and execution of only legitimately signed service drivers where possible. |
| M1033 | Limit Software Installation |
Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
| M1028 | Operating System Configuration |
Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. |
| M1026 | Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| M1022 | Restrict File and Directory Permissions |
Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services. |
| M1054 | Software Configuration |
Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container. |
| M1018 | User Account Management |
Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. |
| DS0032 | Container | Container Creation |
Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation. |
| DS0027 | Driver | Driver Load |
Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles. |
| DS0022 | File | File Creation |
Monitor for newly constructed files that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
| File Modification |
Monitor for changes to files associated with system-level processes. |
||
| DS0009 | Process | OS API Execution |
Monitor for API calls that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
| Process Creation |
New, benign system processes may be created during installation of new software. |
||
| DS0019 | Service | Service Creation |
Monitor for newly constructed services/daemons that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
| Service Modification |
Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. |
||
| DS0024 | Windows Registry | Windows Registry Key Creation |
Monitor for newly constructed windows registry keys that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
| Windows Registry Key Modification |
Monitor for changes to windows registry keys and/or values that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |