SecuriTreeHome

SecuriTree

  • Malware Theory
    • Anti-Analysis
      • Anti-Debugging
      • Anti-VM
    • Persistency
    • Listener
    • Communication
    • Initial Access
      • Tricks
      • Executables
      • Containers
        (MOTW Bypass)
      • Delivery
    • Shellcode
      • Execution
      • Preparation
        • Encoding
        • Encryption
        • Placement
        • Generators
          (Msfvenom)
#Malware Theory #Initial Access

Malware Initial Access

Malware Initial access usually consists of a series of steps to deliver malicious code to the victim's device and execute it. These steps are:

  1. Delivery - providing a link or attachment to a seemingly harmless file via email or other messenger. A popular method lately is to additionally "hide" the actual file using HTML Smuggling or "hide" the actual link in PDF file. Everything to go under the radar of spam filters.
  2. Container - the file downloaded from the link nowadays is most often some sort of container for further files, such as a 7z archive or ISO image. This step was forced by the introduction of Mark-of-the-Web security in Windows.
  3. Executable - there is an executable file at the end. It could be an .exe file with malicious code, but Office macros are still popular. There are a variety of little-known executable formats. This file can execute malicious payload or download a file that will execute the payload.

Considering the subsequent layers, this can be represented as follows:

DELIVERY ( CONTAINER ( EXECUTABLE ( PAYLOAD )))

This is, of course, a simplified scheme because all sorts of transitions and combinations to confuse defenses can be much more.

Children

Initial Access
Tricks
Executables
Containers
Delivery