Classe: Backdoor
Os backdoors são projetados para permitir que usuários mal-intencionados controlem remotamente o computador infectado. Em termos de funcionalidade, os Backdoors são semelhantes a muitos sistemas de administração projetados e distribuídos por desenvolvedores de software. Esses tipos de programas mal-intencionados possibilitam fazer qualquer coisa que o autor queira no computador infectado: enviar e receber arquivos, iniciar ou excluir arquivos, exibir mensagens, excluir dados, reinicializar o computador etc. Os programas nessa categoria costumam ser usados a fim de unir um grupo de computadores da vítima e formar uma rede de botnets ou zumbis. Isso dá aos usuários mal-intencionados controle centralizado sobre um exército de computadores infectados que podem ser usados para fins criminosos. Há também um grupo de Backdoors que são capazes de se espalhar através de redes e infectar outros computadores como os Net-Worms. A diferença é que tais Backdoors não se propagam automaticamente (como fazem os Net-Worms), mas apenas com um “comando” especial do usuário mal-intencionado que os controla.Plataforma: MSIL
O Common Intermediate Language (anteriormente conhecido como Microsoft Intermediate Language ou MSIL) é uma linguagem intermediária desenvolvida pela Microsoft para o .NET Framework. O código CIL é gerado por todos os compiladores Microsoft .NET no Microsoft Visual Studio (Visual Basic .NET, Visual C ++, Visual C # e outros).Família: Backdoor.MSIL.XWorm
No family descriptionExamples
890ED27E6DF90B2B2713742DEE373D91Tactics and Techniques: Mitre*
TA0004
Privilege Escalation
The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: SYSTEM/root level, local administrator, user account with admin-like access, user accounts with access to specific system or perform specific function. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
T1055.004
Asynchronous Procedure Call
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.
TA0005
Defense Evasion
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1055.004
Asynchronous Procedure Call
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.
T1055.012
Process Hollowing
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
TA0011
Command and Control
The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses.
T1095
Non-Application Layer Protocol
Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.