Mitre Techniques Covered
- Noah Greenberg
Mitre Techniques | Summary | Training Scenarios |
|---|---|---|
Malware may instruct Windows to execute malicious scripts on boot or when a user logs in. | Â | |
Process injection, usually used to run malicious code in a target process while allowing the original process to continue. | ||
DLL injection can be used to load malicious code into a process by simply instructing the target process to load a new DLL or by replacing a legitimate DLL before it is loaded. | ||
Process injection by modification of thread local storage, tricking the application into running malicious code during thread management. | Â | |
Process injection by replacing code in a process, typically before it begins execution. | ||
Process injection by executing a malicious executable while tricking the OS and security products into scanning an older revision of the executable. | Â | |
PowerShell is often used by Windows malware to perform malware setup, such as replacing legitimate files with malicious ones. | Â | |
Performing privilege escalation via software vulnerabilities can allow malicious code to escape permission restrictions or virtualized environments. | Â | |
Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities. | Â | |
Native APIs are often the closest access to operating system functionality for accessing files, running processes, and more. | Â | |
User execution, often gained via phishing, is the simplest way malware may begin running. | ||
Credentials could be stolen by taking advantage of vulnerable software that does not encrypt credentials inputted by a user. | ||
Creating or modifying a system process can disguise malicious code as a normal, trusted system process from malware detection. | ||
Malware may instruct Windows to execute malicious programs on boot or when a user logs in. | Â | |
Abusing elevation control can allow a process that would not normally have higher privileges be escalated to gain access to protected data. | Â | |
Stored credentials from unencrypted managers or browsers may be used to gain access to privileged data. | ||
Inter-Process communication can provide control over the target process from the injector once the injection is complete. | Training Scenario - Process Injection | |
Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password. | ||
Injecting into a system service such as an existing | ||
Malicious DLLs can be forced to load into an otherwise legitimate process. | ||
Executable resources such as DLLs can be redirected to malicious substitutes by abusing the | ||
Code signing certificates are a way for an authority to certify that an applications code. Malware may generate a certificate that does not come from any certificate authority but may confuse a user into thinking it is legitimate. | https://cybercrucible.atlassian.net/wiki/spaces/CYB/pages/32210997 | |
SSL certificates are used to ensure that data transmission is trustworthy. In a poorly configured environment, malware may be able to install its own SSL certificate to facilitate man in the middle attacks. | https://cybercrucible.atlassian.net/wiki/spaces/CYB/pages/32210997 |
Â