Techniques

Write attacker-controlled executable code into the address space of a running process not owned by the attacker.

Write a DLL or shellcode into a target process's address space and execute it by spawning a remote thread via CreateRemoteThread.

Write shellcode into a target process's address space and execute it by queueing an Asynchronous Procedure Call to an alertable thread via QueueUserAPC.

Create a new process in suspended state, unmap its legitimate image via NtUnmapViewOfSection, write attacker code into the vacated address space, and resume execution.

Read attacker-relevant data from an organisational information repository not intended for the attacker's use.

Read credential material from the memory segment of the Local Security Authority Subsystem Service (LSASS) process.

Create or modify a Windows registry autostart key to cause attacker-controlled code to execute at boot or logon.

Modify properties of an existing user account to maintain access or escalate privilege.

Create a scheduled job entry that causes attacker-controlled code to execute at a specified time or interval.

Transfer an attacker-controlled file from an external source to a target system under attacker control.

Transmit command-and-control communications over a standard application layer protocol to blend with legitimate traffic.

Exploit a vulnerability in a public-facing application to cause it to execute attacker-controlled code or expose data beyond its intended scope.

Invoke a Windows elevation mechanism through a method that bypasses User Account Control consent prompts to gain elevated privilege without user interaction.