Mitre Techniques Covered
Mitre Techniques | Summary | Training Scenarios |
|---|---|---|
Malware may instruct Windows to execute malicious scripts on boot or when a user logs in. |
| |
Process injection, usually used to run malicious code in a target process while allowing the original process to continue. | https://cybercrucible.atlassian.net/wiki/spaces/CYB/pages/32243713 | |
DLL injection can be used to load malicious code into a process by simply instructing the target process to load a new DLL or by replacing a legitimate DLL before it is loaded. | https://cybercrucible.atlassian.net/wiki/spaces/CYB/pages/32145418 | |
Process injection by modification of thread local storage, tricking the application into running malicious code during thread management. |
| |
Process injection by replacing code in a process, typically before it begins execution. | https://cybercrucible.atlassian.net/wiki/spaces/CYB/pages/32243765 | |
Process injection by executing a malicious executable while tricking the OS and security products into scanning an older revision of the executable. |
| |
PowerShell is often used by Windows malware to perform malware setup, such as replacing legitimate files with malicious ones. |
| |
Performing privilege escalation via software vulnerabilities can allow malicious code to escape permission restrictions or virtualized environments. |
| |
Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities. |
| |
Native APIs are often the closest access to operating system functionality for accessing files, running processes, and more. |
| |
User execution, often gained via phishing, is the simplest way malware may begin running. |
| |
Credentials could be stolen by taking advantage of vulnerable software that does not encrypt credentials inputted by a user. |
| |
Creating or modifying a system process can disguise malicious code as a normal, trusted system process from malware detection. |
| |
Malware may instruct Windows to execute malicious programs on boot or when a user logs in. |
| |
Abusing elevation control can allow a process that would not normally have higher privileges be escalated to gain access to protected data. |
| |
Stored credentials from unencrypted managers or browsers may be used to gain access to privileged data. |
| |
Inter-Process communication can provide control over the target process from the injector once the injection is complete. | | |
Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password. |
| |
Injecting into a system service such as an existing |
| |
Malicious DLLs can be forced to load into an otherwise legitimate process. |
| |
Executable resources such as DLLs can be redirected to malicious substitutes by abusing the |
| |
Code signing certificates are a way for an authority to certify that an applications code. Malware may generate a certificate that does not come from any certificate authority but may confuse a user into thinking it is legitimate. |
| |
SSL certificates are used to ensure that data transmission is trustworthy. In a poorly configured environment, malware may be able to install its own SSL certificate to facilitate man in the middle attacks. |
|