Clase: Backdoor
Las puertas traseras están diseñadas para dar a los usuarios maliciosos el control remoto de una computadora infectada. En términos de funcionalidad, las puertas traseras son similares a muchos sistemas de administración diseñados y distribuidos por los desarrolladores de software. Estos tipos de programas maliciosos hacen posible hacer todo lo que el autor desee en la computadora infectada: enviar y recibir archivos, iniciar archivos o eliminarlos, mostrar mensajes, eliminar datos, reiniciar la computadora, etc. Los programas de esta categoría se utilizan a menudo para unir un grupo de computadoras de víctimas y formar una red zombi o botnet. Esto le da a los usuarios maliciosos control centralizado sobre un ejército de computadoras infectadas que luego pueden ser utilizadas con fines delictivos. También hay un grupo de puertas traseras que son capaces de propagarse a través de redes e infectar a otras computadoras como Net-Worms. La diferencia es que tales Backdoors no se propagan automáticamente (como Net-Worms), sino solo con un "comando" especial del usuario malintencionado que los controla.Más información
Plataforma: MSIL
El lenguaje intermedio común (anteriormente conocido como Microsoft Intermediate Language o MSIL) es un lenguaje intermedio desarrollado por Microsoft para .NET Framework. El código CIL es generado por todos los compiladores de Microsoft .NET en Microsoft Visual Studio (Visual Basic .NET, Visual C ++, Visual C # y otros).Familia: Backdoor.MSIL.XWorm
No family descriptionExamples
2D9CBEE42B539BF80367B969B4E909F4Tactics and Techniques: Mitre*
TA0002
Execution
The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
T1059.001
PowerShell
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the
Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). TA0005
Defense Evasion
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1497.001
System Checks
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
T1562.001
Disable or Modify Tools
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
TA0007
Discovery
The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1497.001
System Checks
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.