TID-205: Existing OS Tools Maliciously Used for Device Manipulation
Threat Description
If a threat actor has access to a valid OS account, they can utilize existing OS tools and system calls to install malicious code or manipulate device operations. If the account and privileges are not sufficiently restricted, the threat actor may be able to add their own tools, modify other application layer programs, or even execute commands with elevated privileges (e.g., setuid/setgid). Further, threat actors can perform a living-off-the-land attack, where they choose to only use pre-installed functionality and install nothing else on the device. These types of attacks can be hard to detect because malicious behavior may be implemented using tools and functions with legitimate purposes.
Threat Maturity and Evidence
Observed Adversarial Behavior
ATT&CK Technique: Graphical User Interface (T0823)
Procedure Example: 2015 Ukraine Electric Power Attack (C0028)
“During the 2015 Ukraine Electric Power Attack, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.”
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. “
CWE
CWE-693: Protection Mechanisms Failure (Pillar)
“The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.”