Kaspersky Threats — not-a-virus:RiskTool.Win32.Chinst.ao

Kategorie: RiskTool

Programme in dieser Kategorie haben eine Reihe von Funktionen (z. B. das Verbergen von Dateien im System, das Verstecken von Windows, in denen Anwendungen ausgeführt werden, das Beenden aktiver Prozesse usw.), die mit böswilliger Absicht verwendet werden können. Sie sind an sich nicht bösartig.

Im Gegensatz zu Programmen, die als NetTool klassifiziert sind, sind RiskTool-Programme für den Betrieb auf dem lokalen Computer ausgelegt.

Wenn ein Benutzer ein solches Programm auf seinem Computer installiert hat oder wenn es von einem Systemadministrator installiert wurde, stellt es keine Bedrohung dar.

Mehr Informationen

Plattform: Win32

Win32 ist eine API auf Windows NT-basierten Betriebssystemen (Windows XP, Windows 7 usw.), die die Ausführung von 32-Bit-Anwendungen unterstützt. Eine der am weitesten verbreiteten Programmierplattformen der Welt.

Familie: RiskTool.Win32.Chinst

No family description

Examples

598CD97B9AA6C779226F98353F4A0CD2

Tactics and Techniques: Mitre*

TA0004

Privilege Escalation

The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: SYSTEM/root level, local administrator, user account with admin-like access, user accounts with access to specific system or perform specific function. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

T1134

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

TA0005

Defense Evasion

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

T1134

Access Token Manipulation

TA0007

Discovery

The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

T1012

Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.