Třída: Backdoor
Zadní stěny jsou navrženy tak, aby poskytovaly škodlivým uživatelům vzdálený přístup k infikovanému počítači. Pokud jde o funkčnost, Backdoors jsou podobné mnoha administrativním systémům navrženým a distribuovaným vývojáři softwaru.Tyto typy škodlivých programů umožňují dělat cokoliv, co autor chce na napadeném počítači: odesílat a přijímat soubory, spouštět soubory nebo je smazat, zobrazovat zprávy, mazat data, restartovat počítač atd.
Programy v této kategorii se často používají k sjednocení skupiny obětí počítačů a vytvoření sítě botnet nebo zombie. To dává zlomyslným uživatelům centralizovanou kontrolu nad armádou infikovaných počítačů, které pak mohou být použity pro kriminální účely.
Existuje také skupina Backdoors, která je schopna šíření prostřednictvím sítí a infikování jiných počítačů jako Net-Worms. Rozdíl je v tom, že takové Backdoors se nerozšířují automaticky (jak to dělá Net-Worms), ale pouze na speciální "příkaz" od škodlivého uživatele, který je ovládá.
Platfoma: MSIL
Společný středně pokročilý jazyk (dříve známý jako Microsoft Intermediate Language nebo MSIL) je pokročilý jazyk vyvinutý společností Microsoft pro rozhraní .NET Framework. Kód CIL je generován všemi kompilátory Microsoft .NET v aplikaci Microsoft Visual Studio (Visual Basic .NET, Visual C ++, Visual C # a další).Family: Backdoor.MSIL.Agent
No family descriptionExamples
BA134B15C2732F4107AD7FB3984665A0Tactics and Techniques: Mitre*
TA0004
Privilege Escalation
The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: SYSTEM/root level, local administrator, user account with admin-like access, user accounts with access to specific system or perform specific function. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
T1134
Access Token Manipulation
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
TA0005
Defense Evasion
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1036.004
Masquerading: Masquerade Task or Service
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
T1070.004
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include
del on Windows and rm or unlink on Linux and macOS. T1134
Access Token Manipulation
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
T1564.001
Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (
dir /a for Windows and ls –a for Linux and macOS). * © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.