dede 老铁们,大家好,相信还有很多朋友对于massstoragedevices是什么意思?用法、例句和Hardware Additions的相关问题不太懂,没关系,今天就由我来为大家分享分享massstoragedevices是什么意思?用法、例句以及Hardware Additions的问题,文章篇幅可能偏长,希望可以帮助到大家,下面一起来看看吧!
TheHardwareAdditionstechniqueconsistsofattackersusingdevicesofdifferentnatures,includingcomputeraccessories,computers,andnetworkhardwareintroducedinsidethetargetedinfrastructure.Inthisway,theattackertriestogaininternalaccesstothecompany'ssystemornetworkusingthehardwaredevicesasvectors.
Thistechniqueisparticularlyinsidioussincehardwareadd-onsareindistinguishablefromofficesandcompanies'toolsandcomponents.Duetothissimilarity,anattackercaneasilypassoffsuchdevicesasstandardhardware.Themostsignificanteffortliesintheso-calledsocialengineeringthattheattackermustusetogainphysicalaccesstoacorporatedeviceordirectlytocorporateenvironments.Oncesneakedin,itwillnotbechallengingtohidesmalldevicesthatlooksimilartolegitimatetoolsandinsertordisseminatethem.Nevertheless,therearefewexamplesofapplicationsinrealcontexts.Ontheotherhand,manycompaniesdedicatedtoredteamingorpenetrationtestingusethistechniquetoobtainanaccesspointduringtheworkattheclientcompanies.
Differenttypesofdevicescanbeusedtoapplythistechnique:manyproductsaremarketedbymanufacturerswhoofferready-to-usedevices.Opensourcesolutionscanalsobeappliedtopersonalhardwareorhardwarepurchasedelsewhere.
Amongthemanycapabilitiestheypossess,theseproductscanbeexploitedfor:
UniversalSerialBus(USB)isanindustrystandardforserialcommunication,usedasacableforcommunicationandpoweringcomputerperipheralsorothercompatibledevices.
TheinterfacesdefinedwithintheUSBstandardarecurrentlythemostcommon,havingsupplantedmanyotherformsofinterfacesthatgenerallytendedtobemuchslower.Inaddition,theabilitytohaveastandardtypeofportsignificantlyincreasesflexibilityforcomputerandhostdevicemanufacturersbecausetherearenolongermultipletypesofcablesandportsastherewerepreviously.Finally,USBallowsupto127differentperipheralstobeconnectedtoasinglehost(throughhubs).
TheseadvantagesweretheimpetusbehindthecreationoftheUSBstandard.InNovember1994,thefirstUSBspecification,version0.7,wasreleased.ThiswasfollowedinJanuary1996byUSB1.0,whichwaswidelyadoptedandbecamethestandardonmanyPCsandprintersusingthestandard.Inadditiontothis,avarietyofotherperipheralsadoptedtheUSBinterface,withsmallmemorysticksbeginningtoappearasaconvenientwaytotransferortemporarilystoredata.
Intermsofperformance,thespeedattainablebythevariousversionsofUSBissummarizedinthefollowingtable(valuesareintheoreticalterms):
SuperSpeedUSB5Gbps(formerlySuperSpeed)
USB3.0/USB3.1Gen1/USB3.2Gen1x1
SuperSpeedUSB10Gbps(formerlySuperSpeed+)
USB3.1/USB3.1Gen2/USB3.2Gen2x1
USB3.2/USB3.2Gen1x2/USB3.2Gen1x2
Operationisveryuserfriendlyandmakesalmostalloperationstransparentandautomatic,thanksinparttoplugandplay(PnP)capabilities.TheUSBhostautomaticallydetectswhenanewdevicehasbeenaddedandpromptsforitsidentificationbysubsequentlyconfiguringthedriversappropriately.
TheUSBsystemhasmanydifferentconnectors.Inthefirstversions,thestandardprovidedtwotypesofconnectors:TypeA,alsocalleddownstream(however,theflowisbidirectional),andTypeB,alsocalledupstream(however,theflowisbidirectional).ThentherearealsoMiniandMicroconnectorversionsofthepreviousTypes.SincetheUSB3.1release,anewconnector,TypeC,hasalsobeenintroduced,providingsignificantlyhighertransferperformanceandadditionalpowerandapplicationcapabilities.
ThetopologyusedbyaUSBsystemisamulti-levelstartopology,i.e.,ithasahostwithoneormoredownstreamportstowhichasmanyperipheraldevicesareconnected.AdditionalUSBhubscanbecascaded,allowinguptofivelevels.USBdevicesareconnectedinseriestothesehubs.Thestartinghub,i.e.,theoneembeddedinthehostcontroller,iscalledtheroothub.Finally,asingleUSBhostcanhavemorethanonecontroller,whichcanhaveoneormoreportstowhichUSBdevicesareconnected.
OftenaUSBdevicemayconsistofseverallogicalsub-devicescalleddevicefunctions.Acompositedevicemayprovideseveralfunctions,suchasawebcam(videodevicefunction)withabuilt-inmicrophone(audiodevicefunction).Analternativeisacompositedevicewherethehostassignseachlogicaldeviceaseparateaddress.AlllogicaldevicesconnecttoanintegratedhubthatconnectstothephysicalUSBcable.
EachUSBdevicehasdifferentfunctionalitiesthatmustberecognizedbythehostsysteminwhichitisinserted.Thehostmachinemustacquirethisinformationtoinstallthemostsuitabledriverandbettermanagetherequests.Toknowwhatthenewdeviceisspecializedin,thereareclasseswithrelativeidentifiersthatspecifythisinformationandareexchangedwiththehostthroughthedevicedescriptoratthebeginningoftheconnectionbetweenhostanddevice.
Therearemanyclassesofwhichthemostcommonlyusedarelistedbelow:
Speaker,microphone,soundcard,MIDI
Laserprinter,inkjetprinter,CNCmachine
USBflashdrive,memorycardreader,digitalaudioplayer,digitalcamera,externaldrive
Bluetoothadapter,MicrosoftRNDIS
Indicatesthatadeviceneedsvendor-specificdrivers
MITREATT&CK?classification:T1200HardwareAdditions.
TheHID-basedattack,alsoknownasUSBDrive-By,isatypeofHardwareAdditionsthatfallsundertheInitialAccesstactic,asitisusedtoobtainanaccesspointtoatargetmachine.
Theaccesspointonthetargetmachinethattheattackermanagestoobtainisbasedonafundamentalrequirement:physicalaccesstothatmachine.Thissub-techniqueisveryeffectiveandcost-beneficialfortheattackerbecausethedevicesusedareverycheapandeasytofind,whichimpliessimplicityinthetotalrealizationoftheattack.Moreover,incaseofasuccessfulattack,theimpactissignificantasitconsistsofcompletecontrolovertheactionsthatcanbeperformedonthemachine.
AnHID-basedattackconsistsofusingaUSBdevicerecognizedbythetargetmachineasHID,configurable,andprogrammableviasoftwaretoexecutearbitrarycodeandactions.Thedevicesareusuallyprogrammableembeddeddevelopmentplatformsorhardwarereadilyavailableonthenetwork.Sometimesattackerscanuseoff-the-shelfdevices,suchasUSBRubberDucky,whichareextremelyeasytoconfigureanddonotrequirehightechnicaldevelopmentskills.OncetheUSBdeviceisready,itwilllooklikeanordinaryUSBstickeveryoneownsforworkordifferentpurposes.Thedifferenceliesintheclasstowhichtheattachmentdevicebelongs.ItisnotpartoftheMassStorageclassbuttheHIDclass.Consequently,oncethedeviceisconnectedtoatargetmachine,itwillperformapreconfiguredsetofactions.TheseactionswilloccurasifakeyboardhadbeenpluggedinwithoutrecreatingparticularmaliciousactionsthatcanbeinterceptedandrecognizedbyanAntiVirussystem.Theactivitiescanvaryfromthesimpleopeningofmaliciousportalstoreleasingmaliciouspayloadsonthetargetcomputer.
Afundamentalaspecttoconsiderforthistypeofattackisthattheyworkagnostictotheoperatingsysteminstalledonthetargetmachine.Anyplatform,beitLinux,Windows,orMacOSX,isconfiguredtoacceptHIDinputdevicessuchasakeyboardormousewithoutspecialprecautionsunlesssetbytheuser.Theprincipleisbasedontheuser'strustandwhattheuserconnectstothemachine.Inaddition,basicpolicyconfigurationsbasedonnon-trustofmassstoragedevicesareinsufficient,asonlytheseconnectionswillbeblocked.Incontrast,HIDconnectionswillcontinuetobepotentialthreats.Infact,ITadministratorsoftendonotconsiderthispossibility,andtheytendtoblockonlycertainincomingconnectionsfromUSBportsofcompanymachines.
Forthereasonspreviouslyreported,itisgoodtoknowthatattacksofthistypearehighlyharmful.Infact,classicattackmethodologiescanbecircumventedandmitigatedveryoftenbyactingoncontinuousupdatesandpatchingvulnerablesystems.Inthiskindofattack,instead,theattentionmustbefocusedonthecontinuoustrainingandawarenessoftheusers.ThetendencyisoftennottousepoliciesofatotalblockofHIDdevicesforeaseofuse.Thecompromisetoavoidsuchattacksisthecompletedisablingofinputconnections.Oftenthisisnotpossible,especiallyinworkingenvironmentswithmanyemployeeswithdifferentneeds.
Withawarenessoftheseissues,attackersmaybemorelikelytousethesetechniquesthatrequireminimaleffort.Veryoften,theonlyrealcapabilitiesareattributedtosocialengineeringthattheattackerexploitstogainphysicalaccesstothemachine.
DetectingHID-basedattacksisverycomplexfromatechnicalstandpoint.Itisnecessarytocorrelatemultipleeventsandinformationthatcantellsomethingishappening.
Itispossibletomakeapreliminary,cursorydetectionbycheckingwhatinformationabouttheUSBdevicehasbeenconnectedtothemachine.The6416eventgeneratesalogwheneveranexternaldeviceisconnectedtothemachine.Byanalyzingthefieldsofthisevent,itispossibletogobacktoalltheinformationdescribingthedevice,anditispossibletotraceanomaliesorsuspiciousinformation.
Forexample,mostUSBHIDdevicesusedforattacksarebasedontwomicrocontrollers:
Inbothcases,themicrocontrollerswerecreatedbythesamecompany,ATMEL.Itis,therefore,possibletousetheVendorIdsfields.
Generallyspeaking,itispossibletoperformasearchbasedonthefieldspresentintheevent6416regardingtheclass,thevendor,theproduct,andthedevicename.
Theevent6416-AnewexternaldevicewasrecognizedbytheSystem-generateseverytimeasystemrecognizesanewexternaldevice.Forexample,itgenerateswhenanewexternaldeviceisconnectedorenabled.Bydefault,auditingthiseventisdisabled.Toenableit,editthefollowinggrouppolicy:
However,suchanapproachdoesnotincludethepossibilityoftheattackerdisguisingtheon-deviceinformation,bypassingthesesimplecontrols.Forexample,itcouldspooftheidVendorofanexistingkeyboardvendor.
Checksthecorrespondencebetweenclassandusage.
Ifyouknowthetypeofuseforwhichthedevicewasconnectedtothemachine,youcancompareitsclass.
Byanalyzingthe6416event,itispossible,forexample,toverifythatadevicepassedoffasMassstorage(MSCorUMS),i.e.,class08h,isinsteadclass03h,i.e.,humaninterfacedevice(HID).
Theevent6416-AnewexternaldevicewasrecognizedbytheSystem-isgeneratedwheneverthesystemidentifiesanewexternaldevice.Forexample,itisgeneratedwhenanewexternaldeviceisconnectedorenabled.Bydefault,auditingthiseventisdisabled.Toenableit,editthefollowinggrouppolicy:
AllUSBHIDdevices,whetherkeyboards,mice,ormaliciousdevicesposingassuch,generateatleastone6416eventthatidentifiesthemasHIDdevicesandcanbedetectedthroughtheClassName,whichwillcorrespondtoHIDClass,orthroughtheClassID,whichwillcorrespondto745a17a0-74d3-11d0-b6fe-00a0c90f57da.
ThemaliciousUSBHIDdevicesthenwillalsogenerateother6416eventsthatsimulatethoseofagenericUSBdeviceorakeyboard,usuallythesecorrespondtotheClassNameUSBDevice(ClassID88bae032-5a81-49f0-bc3d-a4ff138216d6)andKeyboard(ClassID4d36e96b-e325-11ce-bfc1-08002be10318),respectively.
Opensacommandpromptshortlyafterthedeviceisinserted.
OnemethodtodetectmaliciousactionsbyanattackerusingamaliciousUSBHIDdeviceistochecktheexecutionofprocessessuchasPowerShellorCMD.Often,theactionscontainedintheattackscriptinvolvetheexecutionofspecificcommands(e.g.,tokillaprocess)whicharelaunchedfromthecommandline.Someofthesecommandsrequireadministratorpermissionsthatareeasilyobtainedthroughthistypeofattack,bypassingtheUACpromptifnotappropriatelysecured.
TheactionsofopeningthecommandlineandwritingcommandscanhappenveryquicklyfromwhenthemaliciousUSBHIDdeviceisinserted.Soonecouldlookforalleventsthatexecute,forexample,PowershellorCMDinatimerangeof10secondsaftertheoccurrenceofevent6416.
WiththehelpoftoolslikeSysmon,valuableinformationthatisoftennotloggedautomaticallycanberetrieved.IfSysmonisinstalledandavailableonthesystems,itcanbeusedasfollowstodetectaprocesscreationevents.
TheSysmonEventID1[ProcessCreation]providesextendedinformationaboutanewlycreatedprocess.Additionally,thefullcommand-lineprovidescontextontheprocessexecution.Bydefault,thiseventisalreadyenabledforallprocesses.
Forexample,theAzureSentinelSIEMhasaKustoquerytodetectthistypeofattacks:
//IdentifyHID-basedattacks\n//HIDdevicesthatopencommandpromptswithin10seconds\nletMalPnPDevices=\nMiscEvents\n|whereActionType=="PnpDeviceConnected"\n|extendparsed=parse_json(AdditionalFields)\n|sortbyEventTimedescnullslast\n|whereparsed.DeviceDescription=="HIDKeyboardDevice"\n|projectPluginTime=EventTime,ComputerName,parsed.ClassName,parsed.DeviceId,parsed.DeviceDescription,AdditionalFields;\nProcessCreationEvents\n|whereProcessCommandLinecontains"powershell"orProcessCommandLinestartswith"cmd"\n|projectProcessCommandLine,ComputerName,EventTime,ReportId,MachineId\n|joinkind=innerMalPnPDevicesonComputerName\n|where(EventTime-PluginTime)between(0min..10s)\n
Strategy4
MonitorUSBflashdriveconnections.
AnotherdetectionstrategyisbasedonmonitoringtheUSBFlashDrivesconnectioneventsthataregeneratedwhenaUSBstoragedeviceisconnectedordisconnectedfromthesystem.Analyzing,forexample,the2003event,itcanbeseenthatthereishelpfulinformationtoidentifythedevice,suchasidVendor(VID)andidProduct(PID),intheInstanceIDfield.
BelowisatableshowingtheEventIDsrelatedtotheconnectioneventsofUSBFlashDrives:
1003,1004,2000,2001,2003,2004,2005,2006,2010,2100,2101,2105,2016
1006,1008,2100,2101,2102,2105,2106,2900,2901
Generallyspeaking,itispossibletoperformasearchbasedonthefieldspresentintheseeventsregardingtheclass,thevendor,theproduct,andthedevicename.
BydefaultauditingoftheseeventsisdisabledinWindows,itispossibletoenableitandseethelogsthroughtheEventViewerbyselectingthe"EnableLogging"optionin:
However,suchanapproachdoesnotincludethepossibilityoftheattackerdisguisingtheon-deviceinformation,bypassingthesesimplecontrols.Forexample,itcouldspooftheidVendorofanexistingkeyboardvendor.
Checktheaveragetimeofakeystrokesequence
Onceconnected,amaliciousUSBHIDdeviceisrecognizedbythesystemasakeyboardand,likeakeyboard,willsendasequenceofkeystrokesdependingonthecommandsspecifiedinthepayload.
Onepossibledetectionstrategyistomonitortheaveragetimebetweenkeystrokes.Ifthistimefallsbelowapresetthreshold(e.g.,ahumanisunlikelytobeabletopressmorethan25to50keysinarowathighspeed),itcanbeassumedthattheattackisinprogressandthiscanbedetectedandblockedbeforeitissuccessful.
Toimplementthissolution,itisnecessarytocreateanalways-runningkeyloggerthatrecordsthetimestampateachkeystrokeandcomparesitwiththepreviousonebygeneratinganaveragetimeforenteringakeystrokesequence.
InRubberDuckypayloads,itispossibletosetadelaybetweenonecommandandthenextandalsobetweentheinsertionofonecharacterandthenext.Still,generallyonetriestoexecutethepayloadintheshortestpossibletimetoensurethattheattackisasinvisibleaspossible.
DetectingHID-basedattacksisverycomplexfromatechnicalstandpoint.Itisnecessarytocorrelatemultipleeventsandinformationthatcantellsomethingishappening.
OnLinuxsystems,eventsrelatedtoUSBdevicesareloggedbydefault;dependingonthedistributionused,theymightbesavedin/var/log/syslog*(or/var/log/messages*),in/var/log/kern*,orinbothfiles.
EventlogsrelatedtoUSBdeviceswillcontaintheidVendor,idProduct,andUSBclassinformation.Forexample,USBHIDdeviceswillgenerateatleastonelinecontainingthestringhid-generic0003:xxxx:yyyy,where0003istheclasscorrespondingtoHIDdevices,xxxxtheidVendor,andyyyytheidProduct.
Generallyspeaking,itispossibletoperformasearchbasedonfieldsinUSBeventlogsregardingtheclass,thevendor,theproduct,andthedevicename.
However,suchanapproachdoesnotincludethepossibilityoftheattackerdisguisingtheon-deviceinformation,bypassingthesesimplecontrols.Forexample,itcouldspoofthenameofanexistingkeyboardvendor.
BelowisthetablethatdescribesthemostcrucialfieldofeachEventIdtreatedinallofthestrategies:
TheSIDoftheaccountthatregisteredthenewdevice.
Thenameoftheaccountthatregisteredthenewdevice.
Thedomainnameoftheaccountthatregisteredthenewdevice.
Theattributerelatedtothedeviceid.
Theattributerelatedtothedevicename.
TheattributerelatedtothedeviceclassGUID.
Theattributerelatedtothedeviceclassname.
Theattributerelatedtothedevicetypespecifiedbythevendor.
TheVendorIdsfieldoftheEventId6414representsthevendoridentifier(VID)inaccordancewiththeUSBImplementersForum(USB-IF).Itispossibletofindseveralonlinedatabasescontaininginformationaboutvendors,theirVID,products,andtheiridentifiers(PIDs).Forexample,youcanchecktheVIDofAtmelCorp.,i.e.03EB.
BelowisatableshowingtheClassNameandClassIDsmostcommonlyusedtoperformdetectionofmaliciousUSBHIDdevices:
{88bae032-5a81-49f0-bc3d-a4ff138216d6}
{745a17a0-74d3-11d0-b6fe-00a0c90f57da}
{4d36e96b-e325-11ce-bfc1-08002be10318}
Asmentionedabove,detectionstrategiesbasedonlyonverifyingdeviceinformation,suchasidVendorandidProduct,arenotsufficienttoensurethatallattacksaredetectedbecauseitispossibleforanattackertospoofthisdata.
Forexample,foraRubberDuckydevice,itispossibletoaccessthefirmwaresourcecodeandmodifytheUSB_DEVICE_VENDOR_IDandUSB_DEVICE_PRODUCT_IDconstantsintheconf_usb.hfileinsertingthesamevaluesofawell-knownandnotblacklistedmanufacturer.
Inthisway,everytimethedeviceisconnectedtoasystem,itwillberecognizedastrusted,soitisnecessarytocombineadetectionstrategybasedonvendorandproductblacklistswithothermethods.
ToovercometheHID-basedattack,thefollowingcountermeasures(thelistisnotexhaustive)arerecommended:
关于massstoragedevices是什么意思?用法、例句的内容到此结束,希望对大家有所帮助。
微信扫一扫打赏
支付宝扫一扫打赏
