CAPEC-558: Replace Trusted Executable
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.
示例实例
Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. "C:\Windows\System32\utilman.exe") may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1505.005 | Server Software Component: Terminal Services DLL |
| ATTACK | 1546.008 | Event Triggered Execution: Accessibility Features |