sality | b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3184-133-0x0000000002410000-0x000000000349E000-memory.dmp	upx
behavioral2/memory/3184-135-0x0000000002410000-0x000000000349E000-memory.dmp	upx
behavioral2/memory/3184-137-0x0000000002410000-0x000000000349E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
Token: SeDebugPrivilege	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 812	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	9
PID 3184 wrote to memory of 820	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	10
PID 3184 wrote to memory of 336	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	13
PID 3184 wrote to memory of 2472	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	55
PID 3184 wrote to memory of 2480	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	54
PID 3184 wrote to memory of 2568	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	17
PID 3184 wrote to memory of 2532	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	49
PID 3184 wrote to memory of 1072	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	48
PID 3184 wrote to memory of 3268	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	47
PID 3184 wrote to memory of 3372	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	21
PID 3184 wrote to memory of 3440	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	22
PID 3184 wrote to memory of 3520	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	46
PID 3184 wrote to memory of 3776	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	45
PID 3184 wrote to memory of 4852	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	42
PID 3184 wrote to memory of 5088	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	28
PID 3184 wrote to memory of 1908	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	26
PID 3184 wrote to memory of 2324	3184	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe	83

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:812

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:820

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3440

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1908

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1072

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe
  "C:\Users\Admin\AppData\Local\Temp\b9c07a95c693fb2c88f422d4d3d406c4d4fc090d0a513b4226b36f51ea8e3b7f.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2480

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry