← All stories

F5 Labs

Caging the Malicious Insider Application

2022-03-31 · Read original ↗

ATT&CK techniques detected

6 predictions

T1055.001Dynamic-link Library Injection

87%

"should assume this results in full control of the host since, by writing to another system, a malicious application could potentially change local settings, inject commands, or even insert new executable code. regarding the difference between noncritical and critical internal hos…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059Command and Scripting Interpreter

80%

"##filtrating stolen data as well as receiving commands from remote attackers. the potentially compromised automation application this is the worst - case scenario — the application that manages all it infrastructure. it has access to everything and can make changes to anything. i…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

59%

"caging the malicious insider application in july 2020, the fbi cyber division issued flash alert ac - 000129 - tt reporting that malware had been found in the software used to calculate china ’ s value - added tax ( vat ). 1 however, the chinese state taxation administration requ…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1611Escape to Host

52%

"and finally, standard security controls like antivirus ( av ) applications all the way up to the more sophisticated extended detection and response ( xdr ) systems can detect unusual malicious activity as well as known malware components. preventive controls to slow down maliciou…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1090.001Internal Proxy

43%

"update itself for new capabilities. replicate and infect : try to copy itself or a version of itself to other reachable hosts or turn itself into a proxy server for remote attackers. when we speak of data flows to untrusted hosts, we should assume directional flow is irrelevant. …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1090Proxy

38%

"update itself for new capabilities. replicate and infect : try to copy itself or a version of itself to other reachable hosts or turn itself into a proxy server for remote attackers. when we speak of data flows to untrusted hosts, we should assume directional flow is irrelevant. …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

The applications we need to run inside our organizations can turn malicious, so how can we architect for this?