Tries to obtain the highest possible privilege level without UAC dialog Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. Opens the Kernel Security Device Driver (KsecDD) of Windows Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Installs hooks/patches the running processĪdding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.Ī bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. On Linux and Apple systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron,Die. Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. Opens the MountPointManager (often used to detect additional infection locations)Īdversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager.
Reads the registry for VMWare specific artifacts Reads Antivirus engine related registry keys Possibly checks for the presence of an Antivirus engine Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)Įxecutes WMI queries known to be used for VM detection Queries firmware table information (may be used to fingerprint/evade) Modifies auto-execute functionality by setting/creating a value in the registry Interacts with the primary disk partition (DR0) Touched instant messenger related registry keys Scans for artifacts that may help identify the target Contains ability to retrieve keyboard strokesįound a string that may be used as part of an injection method
0 kommentar(er)
