The input sample is signed with a certificate Interacts with the primary disk partition (DR0)Īdversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.Īdversaries may make and impersonate tokens to escalate privileges and bypass access controls.Īdversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges.Īdversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.Īllocates virtual memory in a remote processĪdversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.Īdversaries may disable security tools to avoid possible detection of their tools and activities.Īdversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.Īdversaries may perform software packing or virtual machine software protection to conceal their code.Īdversaries may use NTFS file attributes to hide their malicious data in order to evade detection.Īdversaries may delete files left behind by the actions of their intrusion activity.Īdversaries may employ various means to detect and avoid virtualization and analysis environments.Īdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.Īdversaries may create, acquire, or steal code signing materials to sign their malware or tools. Modifies auto-execute functionality by setting/creating a value in the registryĪdversaries may use bootkits to persist on systems. Adversaries may use the Windows Component Object Model (COM) for local code execution.Īdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.Īdversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.Īdversaries may abuse the Windows service control manager to execute malicious commands or payloads.Īdversaries may directly interact with the native OS application programming interface (API) to execute behaviors.Īdversaries may abuse shared modules to execute malicious payloads.Īdversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
0 kommentar(er)
