Typical behaviours

• Malware tends to establish either external network connections or internal connections. External connections allow remote access or for downloading staged payloads from a threat actors’ infrastructure. Meanwhile, internal connections allow for lateral movement, a technique used to extend access to other hosts or applications within the network.

• Windows malware typically uses registry keys to establish persistence, a technique used by adversaries to discreetly maintain long-term access to a system despite disruptions. A good example is Registry Run Keys, which allows binaries to be automatically executed when a user logs in or the machine boots up.

• Malware also tends to download (one of the common reasons to establish network connections) or create new files needed for its successful execution.