
Modifies the UAC/LUA settings (Account Control) Process injection is a method of executing arbitrary code in the address space of a separate live process.Īllocates virtual memory in a remote processĪdversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in ] and ]. Modifies auto-execute functionality by setting/creating a value in the registry Interacts with the primary disk partition (DR0)Īdding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. Opens the Kernel Security Device Driver (KsecDD) of WindowsĪ bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.Ĭontains ability to enumerate processes/modules/threads Installs hooks/patches the running process Sets a global windows hook to intercept keystrokes Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources.

On Linux and Apple systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron,Die. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager.
