ATT&CK - 加密数据以产生影响

admin 2024年4月15日03:45:51评论6 views字数 2266阅读7分33秒阅读模式




Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, Credential Dumping, and Windows Admin Shares.


策略: 影响

平台: Linux,macOS,Windows

所需权限: user,administrator,root,SYSTEM

数据源: 内核驱动程序,文件监视,进程命令行参数,进程监视

影响类型: 可用性


减轻 描述
数据备份 考虑实施IT灾难恢复计划,其中包含定期获取和测试可用于还原组织数据的数据备份的过程。确保备份存储在系统之外,并且免受攻击者可能用来获取访问权限并破坏备份以防止恢复的常见方法的攻击。
Mitigation Description
Data Backup Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.




Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.

In some cases, monitoring for unusual kernel driver installation activity can aid in detection.

- 译者: 林妙倩、戴亦仑 .

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年4月15日03:45:51
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ATT&CK - 加密数据以产生影响


匿名网友 填写信息