is a minimal program designed to exploit a vulnerability in the OS or in a legitimate app to
gain privileges
or to drop a backdoor on the host if run as a Trojan
will be followed by some type of network connection to download additional tools
Credential dumping
malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process
DCSync attack attempts to trick a domain controller into replicating its user list along with their credentials with a rogue host
Pivoting/lateral movement/insider attack
general procedure is to use the foothold to execute a process remotely
Persistence
is a mechanism that allows the threat actor’s backdoor to restart if the host reboots or the user logs off
methods:
use AutoRun keys in the registry
adding a scheduled task
or using Windows Management Instrumentation (WMI) event subscriptions