| ID |
C0008 |
| Objective(s) |
Memory |
| Related ATT&CK Techniques |
None |
| Version |
2.0 |
| Created |
2 August 2022 |
| Last Modified |
21 November 2022 |
Malware may change memory protection. For example, read-write memory may be changed to read-execute. Changing memory protection may exploits (e.g., bypass Data Execution Prevention).
| Name |
ID |
Description |
| Executable Heap |
C0008.002 |
The heap is made executable. |
| Executable Stack |
C0008.001 |
The stack is made executable. |
| Name |
Date |
Method |
Description |
| Ursnif |
2016 |
-- |
Changes the PE header of the child process to enable write access to that page, writes 18 bytes of buffer at offset 0x40 from the start of svchost.exe process executable in the target child process. Then changes the region protection back to "read only" to avoid suspicion [1] |
| SYNfulKnock |
2015 |
-- |
Modifies the translation lookaside buffer (TLB) Read/Write attributes [2] |
[1] https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
[2] https://www.mandiant.com/resources/synful-knock-acis