クラス: Backdoor
バックドアは、悪意のあるユーザーが感染したコンピュータをリモートコントロールできるように設計されています。機能性の面では、バックドアはソフトウェア開発者が設計し配布する多くの管理システムに似ています。これらの種類の悪質なプログラムは、ファイルの送受信、ファイルの起動や削除、メッセージの表示、データの削除、コンピュータの再起動など、感染したコンピュータ上で必要な作業を可能にします。このカテゴリのプログラムは、被害者のコンピュータのグループを結びつけ、ボットネットまたはゾンビネットワークを形成するためです。これにより、悪意のあるユーザーは感染したコンピュータの軍隊を集中管理し、犯罪目的で使用することができます。 Net-Wormのように、ネットワークを介して拡散して他のコンピュータに感染することができるバックドアのグループもあります。違いは、このようなBackdoorは(Net-Wormのように)自動的に広がるのではなく、それらを制御する悪意のあるユーザーからの特別な「コマンド」に限られるということです。プラットフォーム: Win32
Win32は、32ビットアプリケーションの実行をサポートするWindows NTベースのオペレーティングシステム(Windows XP、Windows 7など)上のAPIです。世界で最も広く普及しているプログラミングプラットフォームの1つです。ファミリー: Backdoor.Win32.Saklof
No family descriptionExamples
A12421A5A3E1D48DF77DFA079396976AF900972FF35634AF130271B43CFA4557
885D5428C68BAFD80389F683F8835FBC
C285B912B7C3410A19260AB455FF287E
4027C925302862785454696093562562
Tactics and Techniques: Mitre*
TA0005
Defense Evasion
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1070.004
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include
del on Windows and rm or unlink on Linux and macOS. TA0007
Discovery
The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1018
Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or
Adversaries may also analyze data from local host files (ex:
Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g.
net view using Net.Adversaries may also analyze data from local host files (ex:
C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g.
show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021) * © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.