Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.Īdversaries may interact with the native OS application programming interface (API) to execute behaviors.Ĭontains ability to retrieve the fully qualified path of moduleĬontains ability to retrieve the command-line string for the current processĬontains ability to retrieve the fully qualified path of module (API string)Ĭalls an API typically used to create a processĬontains ability to modify processes thread functionality (API string)Ĭontains ability to dynamically determine API callsĬontains ability to dynamically load librariesĪdversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.Ĭontains ability to retrieve the contents of the STARTUPINFO structure (API string)Īdversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.Ĭontains ability to use security policy setting (API string)Īdversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.Īdversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.Ĭontains ability to enable or disable privileges in the specified access token (API string)Īdversaries may delete files left behind by the actions of their intrusion activity.Ĭalls an API typically used to remove a directoryĪdversaries may employ various means to detect and avoid virtualization and analysis environments.Ĭontains ability to delay the execution of current threadĬontains ability to detect sandbox (mouse cursor movement)Ĭontains ability to detect virtual environment (API)Īdversaries may perform software packing or virtual machine software protection to conceal their code.Īdversaries may log user keystrokes to intercept credentials as the user types them.Ĭalls an API typically used for keyloggingĪdversaries may hook into Windows application programming interface (API) functions to collect user credentials.
0 kommentar(er)
