Object ID 338 contains compressed stream data: No filters Object ID 230 contains compressed stream data: No filters Object ID 219 contains compressed stream data: No filters Object ID 112 contains compressed stream data: No filters Object ID 6 contains compressed stream data: No filters ( Show technique in the MITRE ATT&CK™ matrix) Possibly tries to communicate over SSL connection (HTTPS)Īdversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network.Ĭontains indicators of bot communication commands PDF file has an embedded URL referencing an URL shortener serviceĪdversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges.įound a string that may be used as part of an injection methodĪdversaries may attempt to get a listing of open application windows.Īdversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).Īdversaries may target user email to collect sensitive information.įound a potential E-Mail address in binary/memoryĪn adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries.Ĭontains object with compressed stream dataĪdversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
0 kommentar(er)
