Milleniumrat

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Adversaries may abuse PowerShell commands and scripts for execution.

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

An adversary may gather the system time and/or time zone settings from a local or remote system.

Adversaries may enumerate information about browsers to learn more about compromised environments.

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.

Adversaries may set files and directories to be hidden to evade detection mechanisms.

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads.

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.