Search For Content
Search Result
44 item(s) found so far for this keyword.
BITS Jobs
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer …
Read moreProcess Injection: Thread Execution Hijacking
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced …
Read moreProcess Injection: Thread Local Storage
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process …
Read moreSubvert Trust Controls: Install Root Certificate
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the …
Read moreSystem Binary Proxy Execution: Compiled HTML File
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser …
Read moreSystem Binary Proxy Execution: CMSTP
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. …
Read moreSystem Binary Proxy Execution: Verclsid
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file …
Read moreSystem Binary Proxy Execution: Mavinject
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). …
Read moreUnloading Module with FreeLibrary
Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.
To do this, the malware first uses the GetModuleHandleA function to retrieve a handle to the DLL, …
Constant Blinding
Constant blinding can be employed by malware authors to obfuscate their malicious code, making it harder for security researchers and antivirus software to detect and analyze the malware. By using constant blinding techniques, the malware code can be concealed, increasing its chances of evading detection and maintaining persistence on the target system.
Here's how constant blinding can be utilized …
Read more