Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Внедрение DLL-библиотек
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Внедрение DLL-библиотек
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Process Injection:  Внедрение DLL-библиотек

ID Название
.001 Внедрение DLL-библиотек
.002 Внедрение PE-образа
.003 Перехват выполнения потока
.004 Асинхронный вызов процедур
.005 Локальная память потока
.008 Системные вызовы ptrace
.009 Внедрение через файловую систему /proc
.011 Внедрение в дополнительную память окна (EWM)
.012 Внедрение в пустой процесс
.013 Process Doppelgänging
.014 Перехват виртуального динамического общего объекта (VDSO)
.015 Внедрение списков

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1055.001
Относится к технике:  T1055
Тактика(-и): Defense Evasion, Privilege Escalation
Платформы: Windows
Источники данных: Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Версия: 1.4
Дата создания: 14 Jan 2020
Последнее изменение: 16 Apr 2025

Примеры процедур
Название Описание
Bumblebee

The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)
Stuxnet

Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
Get2

Get2 has the ability to inject DLLs into processes.(Citation: Proofpoint TA505 October 2019)
Emissary

Emissary injects its DLL file into a newly spawned Internet Explorer process.(Citation: Lotus Blossom Dec 2015)
PS1

PS1 can inject its payload DLL Into memory.(Citation: BlackBerry CostaRicto November 2020)
PowerSploit

PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
Matryoshka

Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.(Citation: CopyKittens Nov 2015)
Aria-body

Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.(Citation: CheckPoint Naikon May 2020)
Emotet

Emotet has been observed injecting in to Explorer.exe and other processes. (Citation: Picus Emotet Dec 2018)(Citation: Trend Micro Banking Malware Jan 2019)(Citation: US-CERT Emotet Jul 2018)
BADHATCH

BADHATCH has the ability to execute a malicious DLL by injecting into `explorer.exe` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)
SombRAT

SombRAT can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL from disk, storage, or memory respectively.(Citation: BlackBerry CostaRicto November 2020)
Conti

Conti has loaded an encrypted DLL into memory and then executes it.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)
Kazuar

If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.(Citation: Unit 42 Kazuar May 2017)
BlackEnergy

BlackEnergy injects its DLL component into svchost.exe.(Citation: F-Secure BlackEnergy 2014)
DarkTortilla

DarkTortilla can use a .NET-based DLL named `RunPe6` for process injection.(Citation: Secureworks DarkTortilla Aug 2022)
Dyre

Dyre injects into other processes to load modules.(Citation: Symantec Dyre June 2015)
Duqu

Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).(Citation: Symantec W32.Duqu)
Remsec

Remsec can perform DLL injection.(Citation: Kaspersky ProjectSauron Technical Analysis)
Sykipot

Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.(Citation: AlienVault Sykipot 2011)
Mongall

Mongall can inject a DLL into `rundll32.exe` for execution.(Citation: SentinelOne Aoqin Dragon June 2022)

Netwalker

The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.(Citation: TrendMicro Netwalker May 2020)

Elise

Elise injects DLL files into iexplore.exe.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
Saint Bot

Saint Bot has injected its DLL component into `EhStorAurhn.exe`.(Citation: Malwarebytes Saint Bot April 2021)
Sagerunex

Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.(Citation: Cisco LotusBlossom 2025)
Uroburos

Uroburos can use DLL injection to load embedded files and modules.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Metamorfo

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).(Citation: Medium Metamorfo Apr 2020)
PipeMon

PipeMon can inject its modules into various processes using reflective DLL loading.(Citation: ESET PipeMon May 2020)
RARSTONE

After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.(Citation: Camba RARSTONE)
MegaCortex

MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.(Citation: IBM MegaCortex)
SDBbot

SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.(Citation: Proofpoint TA505 October 2019)
Derusbi

Derusbi injects itself into the secure shell (SSH) process.(Citation: Airbus Derusbi 2015)
RATANKBA

RATANKBA performs a reflective DLL injection using a given pid.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)
FinFisher

FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
Cobalt Strike

Cobalt Strike has the ability to load DLLs via reflective injection.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
Taidoor

Taidoor can perform DLL loading.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
IronNetInjector

IronNetInjector has the ability to inject a DLL into running processes, including the IronNetInjector DLL into explorer.exe.(Citation: Unit 42 IronNetInjector February 2021 )
PoisonIvy

PoisonIvy can inject a malicious DLL into a process.(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Aug 2005)
TajMahal

TajMahal has the ability to inject DLLs for malicious plugins into running processes.(Citation: Kaspersky TajMahal April 2019)
Carbon

Carbon has a command to inject code into a process.(Citation: ESET Carbon Mar 2017)
Ramsay

Ramsay can use ImprovedReflectiveDLLInjection to deploy components.(Citation: Eset Ramsay May 2020)

Carberp

Carberp's bootkit can inject a malicious DLL into the address space of running processes.(Citation: ESET Carberp March 2012)
FunnyDream

The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` APIs to load the DLL component.(Citation: Bitdefender FunnyDream Campaign November 2020)
Koadic

Koadic can perform process injection by using a reflective DLL.(Citation: Github Koadic)
Pupy

Pupy can migrate into another process using reflective DLL injection.(Citation: GitHub Pupy)
ZxShell

ZxShell is injected into a shared SVCHOST process.(Citation: Talos ZxShell Oct 2014)

Maze

Maze has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)

ComRAT

ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)
Heyoka Backdoor

Heyoka Backdoor can inject a DLL into rundll32.exe for execution.(Citation: SentinelOne Aoqin Dragon June 2022)
Socksbot

Socksbot creates a suspended svchost process and injects its DLL into it.(Citation: TrendMicro Patchwork Dec 2017)
HIDEDRV

HIDEDRV injects a DLL for Downdelph into the explorer.exe process.(Citation: ESET Sednit Part 3)
ShadowPad

ShadowPad has injected a DLL into svchost.exe.(Citation: Kaspersky ShadowPad Aug 2017)
Gelsemium

Gelsemium has the ability to inject DLLs into specific processes.(Citation: ESET Gelsemium June 2021)
Lizar

Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.(Citation: BiZone Lizar May 2021)

Turla

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.(Citation: ESET Turla Mosquito May 2018)(Citation: Github Rapid7 Meterpreter Elevate)
Tropic Trooper

Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)
Lazarus Group

A Lazarus Group malware sample performs reflective DLL injection.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022)
Putter Panda

An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).(Citation: CrowdStrike Putter Panda)
Leviathan

Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.(Citation: Accenture MUDCARP March 2019)
Wizard Spider

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
BackdoorDiplomacy

BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.(Citation: ESET BackdoorDiplomacy Jun 2021)
Malteiro

Malteiro has injected Mispadu’s DLL into a process.(Citation: SCILabs Malteiro 2021)
TA505

TA505 has been seen injecting a DLL into winword.exe.(Citation: IBM TA505 April 2020)

Контрмеры
Контрмера Описание
Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Обнаружение

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017) Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

Ссылки

  1. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  2. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  3. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  4. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  5. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  6. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  7. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  8. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  9. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  10. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  11. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  12. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  13. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  14. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  15. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  16. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  17. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  18. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  19. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  20. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  21. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  22. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  23. Red Teaming Experiments. (n.d.). Module Stomping for Shellcode Injection. Retrieved July 14, 2022.
  24. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  25. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  26. Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved September 12, 2024.
  27. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  28. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  29. Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.
  30. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  31. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  32. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  33. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  34. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
  35. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  36. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  37. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  38. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  39. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  40. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  41. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  42. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  43. FinFisher. (n.d.). Retrieved September 12, 2024.
  44. Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022.
  45. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  46. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  47. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  48. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  49. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  50. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  51. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  52. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  53. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  54. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  55. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  56. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  57. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  58. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
  59. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  60. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  61. Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.
  62. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  63. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  64. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  65. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  66. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  67. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
  68. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  69. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  70. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  71. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  72. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  73. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  74. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  75. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024.
  76. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  77. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  78. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  79. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  80. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  81. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.