{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,26]],"date-time":"2025-03-26T13:00:22Z","timestamp":1742994022363,"version":"3.40.3"},"publisher-location":"Cham","reference-count":35,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319934105"},{"type":"electronic","value":"9783319934112"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-319-93411-2_7","type":"book-chapter","created":{"date-parts":[[2018,6,7]],"date-time":"2018-06-07T07:49:28Z","timestamp":1528357768000},"page":"141-161","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Update State Tampering: A Novel Adversary Post-compromise Technique on Cyber Threats"],"prefix":"10.1007","author":[{"given":"Sung-Jin","family":"Kim","sequence":"first","affiliation":[]},{"given":"Byung-Joon","family":"Kim","sequence":"additional","affiliation":[]},{"given":"Hyoung-Chun","family":"Kim","sequence":"additional","affiliation":[]},{"given":"Dong Hoon","family":"Lee","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,6,8]]},"reference":[{"key":"7_CR1","unstructured":"Strom, B.E., Battaglia, J.A., Kemmerer, M.S., Kupersanin, W., Miller, D.P., Wampler, C., Whitley, S.M., Wolf, R.D.: Finding Cyber Threats with ATT&CKTM-Based Analytics, MITRE Technical report (2017)"},{"key":"7_CR2","unstructured":"The MITRE Corporation. Presentation: Detecting the Adversary Post-Compromise with Threat Models and Behavioral Analytic. \n https:\/\/www.mitre.org\/publications\/technical-papers\/presentation-detecting-the-adversary-post-compromise-with-threat\n \n . Accessed 27 Feb 2018"},{"key":"7_CR3","first-page":"438","volume":"536","author":"S Yadav","year":"2016","unstructured":"Yadav, S., Mallari, D.: Technical aspects of cyber kill chain. Commun. Comput. Inf. Sci. 536, 438\u2013452 (2016)","journal-title":"Commun. Comput. Inf. Sci."},{"key":"7_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-662-44885-4_5","volume-title":"Communications and Multimedia Security","author":"P Chen","year":"2014","unstructured":"Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Z\u00faquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63\u201372. Springer, Heidelberg (2014). \n https:\/\/doi.org\/10.1007\/978-3-662-44885-4_5"},{"key":"7_CR5","unstructured":"Malone, S.: Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency. Black Hat US (2016)"},{"key":"7_CR6","unstructured":"Smith, V., Ames, C.: Meta-Post Exploitation, Black Hat US (2008)"},{"key":"7_CR7","unstructured":"The MITRE Corporation. ATT&CK Matrix. \n https:\/\/attack.mitre.org\/wiki\/ATT&CK_Matrix\n \n . Accessed 27 Feb 2018"},{"key":"7_CR8","unstructured":"Speulstra, P.: Accessibility Features. \n https:\/\/attack.mitre.org\/wiki\/Technique\/T1015\n \n . Accessed 27 Feb 2018"},{"key":"7_CR9","unstructured":"Tilbury, C.: Registry Analysis with CrowdResponse. \n https:\/\/www.crowdstrike.com\/blog\/registry-analysis-with-crowdresponse\/\n \n . Accessed 27 Feb 2018"},{"key":"7_CR10","unstructured":"Jerzman, B., Smit, T.: Modify Registry. \n https:\/\/attack.mitre.org\/wiki\/Technique\/T1112\n \n . Accessed 27 Feb 2018"},{"key":"7_CR11","unstructured":"Kaspersky Lab. The Regin Platform Nation-State Ownage of GSM Networks. \n https:\/\/securelist.com\/files\/2014\/11\/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf\n \n . Accessed 27 Feb 2018"},{"key":"7_CR12","unstructured":"FireEye Threat Intelligence. APT28: A Window Into Russia\u2019s Cyber Espionage Operations? \n https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/global\/en\/current-threats\/pdfs\/rpt-apt28.pdf\n \n . Accessed 27 Feb 2018"},{"key":"7_CR13","unstructured":"Falcone, R.: Shamoon 2: Return of the Disttrack Wiper. \n https:\/\/researchcenter.paloaltonetworks.com\/2016\/11\/unit42-shamoon-2-return-disttrack-wiper\n \n . Accessed 27 Feb 2018"},{"key":"7_CR14","unstructured":"Microsoft. Use the System File Checker tool to repair missing or corrupted system files. \n https:\/\/support.microsoft.com\/eu-es\/help\/929833\/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files\n \n . Accessed 27 Feb 2018"},{"key":"7_CR15","unstructured":"Microsoft. How to get an update through Windows Update. \n https:\/\/support.microsoft.com\/en-us\/help\/3067639\/how-to-get-an-update-through-windows-update\n \n . Accessed 27 Feb 2018"},{"key":"7_CR16","unstructured":"Microsoft. Microsoft Baseline Security Analyzer. \n https:\/\/technet.microsoft.com\/en-us\/security\/cc184924.aspx\n \n . Accessed 27 Feb 2018"},{"key":"7_CR17","unstructured":"Microsoft. Understanding Component-Based Servicing. \n https:\/\/blogs.technet.microsoft.com\/askperf\/2008\/04\/23\/understanding-component-based-servicing\/\n \n . Accessed 27 Feb 2018"},{"key":"7_CR18","unstructured":"Microsoft. Manage the Component Store. \n https:\/\/technet.microsoft.com\/en-us\/library\/dn251569.aspx\n \n . Accessed 27 Feb 2018"},{"key":"7_CR19","unstructured":"Russinovich, M.E., \u200eSolomon, D.A., Ionescu, \u200eA.: Windows Internals, Part 2, 6th edn, p. 525 (2012)"},{"key":"7_CR20","unstructured":"Microsoft. Code Integrity. \n https:\/\/technet.microsoft.com\/en-us\/library\/dd348642(v=ws.10).aspx\n \n . Accessed 27 Feb 2018"},{"key":"7_CR21","unstructured":"Microsoft. Kernel-Mode Code Signing Walkthrough. \n https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/dn653569(v=vs.85).aspx\n \n . Accessed 27 Feb 2018"},{"key":"7_CR22","unstructured":"The MITRE Corporation. CVE-2017-0114. \n https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0144\n \n . Accessed 27 Feb 2018"},{"key":"7_CR23","doi-asserted-by":"crossref","unstructured":"Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: SIGCOMM Workshop on LSAD (2006)","DOI":"10.1145\/1162666.1162671"},{"key":"7_CR24","unstructured":"Joh, H., Malaiya, Y.K.: Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: International Conference on Security and Management (SAM) (2011)"},{"key":"7_CR25","unstructured":"Microsoft. Process Monitor v3.50. \n https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procmon\n \n . Accessed 27 Feb 2018"},{"key":"7_CR26","unstructured":"AhnLab. MyPCInspector. \n http:\/\/www.ahnlab.com\/kr\/site\/product\/productView.do?prodSeq=86\n \n . Accessed 27 Feb 2018"},{"key":"7_CR27","unstructured":"Rapid7. Metasploit. \n https:\/\/www.metasploit.com\/\n \n . Accessed 27 Feb 2018"},{"key":"7_CR28","unstructured":"OpenVAS. OpenVAS. \n http:\/\/www.openvas.org\/\n \n . Accessed 20 Apr 2018"},{"key":"7_CR29","unstructured":"Greenbone Networks. Greenbone. \n https:\/\/www.greenbone.net\/en\/\n \n . Accessed 20 Apr 2018"},{"key":"7_CR30","unstructured":"Tenable. Nessus Home. \n https:\/\/www.tenable.com\/products\/nessus\/nessus-professional\n \n . Accessed 20 Apr 2018"},{"key":"7_CR31","unstructured":"Rapid7. Nexpose. \n https:\/\/www.rapid7.com\/products\/nexpose\/\n \n . Accessed 20 Apr 2018"},{"key":"7_CR32","unstructured":"Microsoft. Further simplifying servicing models for Windows 7 and Windows 8.1. \n https:\/\/blogs.technet.microsoft.com\/windowsitpro\/2016\/08\/15\/further-simplifying-servicing-model-for-windows-7-and-windows-8-1\/\n \n . Accessed 20 Apr 2018"},{"key":"7_CR33","unstructured":"Microsoft. How to verify that MS17-010 is installed. \n https:\/\/support.microsoft.com\/en-us\/help\/4023262\/how-to-verify-that-ms17-010-is-installed\n \n . Accessed 27 Feb 2018"},{"key":"7_CR34","unstructured":"The MITRE Corporation. CWE-120. \n https:\/\/cwe.mitre.org\/data\/definitions\/120.html\n \n . Accessed 20 Apr 2018"},{"key":"7_CR35","unstructured":"Cichonski, P., Millar, T., Grance, T., Scarfone, K.: Computer security incident handling guide. NIST Special Publication, 800-61 (2012)"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-93411-2_7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,3,3]],"date-time":"2020-03-03T03:18:14Z","timestamp":1583205494000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-93411-2_7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783319934105","9783319934112"],"references-count":35,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-93411-2_7","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"8 June 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Saclay","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2018","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28 June 2018","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29 June 2018","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2018","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.dimva2018.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}