Mitre Techniques | Summary |
---|---|
Malware may instruct Windows to execute malicious scripts on boot or when a user logs in. | |
Process injection, usually used to run malicious code in a target process while allowing the original process to continue. | |
DLL injection can be used to load malicious code into a process by simply instructing the target process to load a new DLL or by replacing a legitimate DLL before it is loaded. | |
Process injection by replacing code in a process, typically before it begins execution. | |
PowerShell is often used by Windows malware to perform malware setup, such as replacing legitimate files with malicious ones. | |
Performing privilege escalation via software vulnerabilities can allow malicious code to escape permission restrictions or virtualized environments. | |
Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities. | |
Native APIs are often the closest access to operating system functionality for accessing files, running processes, and more. | |
User execution, often gained via phishing, is the simplest way malware may begin running. | |
Credentials could be stolen by taking advantage of vulnerable software that does not encrypt credentials inputted by a user. | |
Creating or modifying a system process can disguise malicious code as a normal, trusted system process from malware detection. | |
Malware may instruct Windows to execute malicious programs on boot or when a user logs in. | |
Abusing elevation control can allow a process that would not normally have higher privileges be escalated to gain access to protected data. | |
Stored credentials from unencrypted managers or browsers may be used to gain access to privileged data. | |
Inter-Process communication can provide control over the target process from the injector once the injection is complete. | |
Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password. | |
Injecting into a system service such as an existing | |
Code signing certificates are a way for an authority to certify that an applications code. Malware may generate a certificate that does not come from any certificate authority but may confuse a user into thinking it is legitimate. | |
SSL certificates are used to ensure that data transmission is trustworthy. In a poorly configured environment, malware may be able to install its own SSL certificate to facilitate man in the middle attacks. |
...