查看 MITRE ATT&CK™ 矩阵(技术)检测结果
高危行为(2)
全部收起
系统敏感操作
试着去创建或修改系统证书
ATT&CK ID:T1130(在 MITRE ATT&CK™ 矩阵中的显示)
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A5807E3AF3D13CD50543F07E06193B38CF11239A\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\54D4B1F9710D36D742826C8F0BB290F1705265FC\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A5807E3AF3D13CD50543F07E06193B38CF11239A\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AA3CFBFCBE04A2746D14E88970A561C694A3D91E\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\1D3198CC261B592E4D5B9E488849269A937B07F6\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54D4B1F9710D36D742826C8F0BB290F1705265FC\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA3CFBFCBE04A2746D14E88970A561C694A3D91E\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A5807E3AF3D13CD50543F07E06193B38CF11239A\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\AA3CFBFCBE04A2746D14E88970A561C694A3D91E\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\54D4B1F9710D36D742826C8F0BB290F1705265FC\Blob
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1D3198CC261B592E4D5B9E488849269A937B07F6\Blob
将函数插入到线程的APC队列中,常用于线程注入
可疑行为(8)
全部收起
反检测技术
检测系统内存大小,可能通过内存大小来判断是否运行在虚拟机中
检查适配器地址,可用于检测虚拟网络接口
Time & API
Arguments
Status
Return
2020-08-04 22:01:39
GetAdaptersAddresses
flags :1158
family :0
10
反逆向工程
尝试拖慢分析任务的进度
网站服务器爆破工具.exe
tried to sleep 922337203805 seconds, actually delayed analysis time by 0 seconds
检测自身是否正在被调试
Time & API
Arguments
Status
Return
2020-08-04 22:01:36
IsDebuggerPresent
00
2020-08-04 22:01:36
IsDebuggerPresent
00
创建PAGE_GUARD属性的内存页,通常用于反逆向和反调试
Time & API
Arguments
Status
Return
2020-08-04 22:01:36
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x0019d000
10
2020-08-04 22:01:36
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x0019d000
10
2020-08-04 22:01:36
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x0172d000
10
2020-08-04 22:01:36
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x015ed000
10
2020-08-04 22:01:39
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x03ded000
10
2020-08-04 22:01:41
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x0494d000
10
2020-08-04 22:01:41
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x04dcd000
10
2020-08-04 22:01:42
NtAllocateVirtualMemory
process_identifier :3532
region_size :8192
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :260
process_handle :0xffffffff
allocation_type :4096
base_address :0x04f0d000
10
网络相关
开启端口并监听,常用于后门程序
Time & API
Arguments
Status
Return
2020-08-04 22:01:39
bind
ip_address :127.0.0.1
socket :644
port :0
10
2020-08-04 22:01:39
listen
socket :644
backlog :2147483647
10
2020-08-04 22:01:39
accept
ip_address :127.0.0.1
socket :644
port :0
04294967295
开启端口并监听
Time & API
Arguments
Status
Return
2020-08-04 22:01:39
bind
ip_address :127.0.0.1
socket :644
port :0
10
2020-08-04 22:01:39
listen
socket :644
backlog :2147483647
10
系统敏感操作
检查系统上的唯一标识符是否具有可疑的权限
Time & API
Arguments
Status
Return
2020-08-04 22:01:39
LookupPrivilegeValueW
system_name :
privilege_name :SeDebugPrivilege
11
2020-08-04 22:01:39
LookupPrivilegeValueW
system_name :
privilege_name :SeDebugPrivilege
11
低危行为(2)
全部展开
系统环境探测
获取系统信息
读取计算机名称