HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
[
{
"url": "https://unprotect.it/api/featured_api/1/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "CreateRemoteThread",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "high",
"description": "CreateRemoteThread is a Windows API function that allows a program to create a new thread in the address space of another process. This can be used for a variety of purposes, both legitimate and malicious.\r\n\r\nBad actors may use CreateRemoteThread to inject malicious code into a legitimate process, allowing them to evade detection and persist on a system. For example, a malware that uses CreateRemoteThread to inject itself into a system process such as explorer.exe or svchost.exe would be able to run with the same permissions as the host process, making it more difficult to detect and remove.\r\n\r\nAnother example is a attackers can use CreateRemoteThread to inject a DLL into a running process which will execute the malicious code inside the process with the same privilege level as the process itself, which can be used to perform various malicious activities such as keylogging, privilege escalation, or downloading additional malware.\r\n\r\nIt is important to note that CreateRemoteThread can be used for legitimate purposes as well, such as for debugging or for inter-process communication. However, it can also be abused by attackers to compromise a system.",
"featured_in": [
{
"id": 93,
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"url": "https://unprotect.it/technique/dll-injection-via-createremotethread-and-loadlibrary/"
},
{
"id": 118,
"name": "PE Injection",
"url": "https://unprotect.it/technique/pe-injection/"
},
{
"id": 167,
"name": "File Melt",
"url": "https://unprotect.it/technique/file-melt/"
},
{
"id": 178,
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"url": "https://unprotect.it/technique/procenvinjection-remote-code-injection-by-abusing-process-environment-strings/"
},
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/3/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "VirtualAlloc",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 56,
"name": "NtQueryObject",
"url": "https://unprotect.it/technique/ntqueryobject/"
},
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 93,
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"url": "https://unprotect.it/technique/dll-injection-via-createremotethread-and-loadlibrary/"
},
{
"id": 108,
"name": "Guard Pages",
"url": "https://unprotect.it/technique/guard-pages/"
},
{
"id": 110,
"name": "Reflective DLL injection",
"url": "https://unprotect.it/technique/reflective-dll-injection/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 115,
"name": "Extra Window Memory Injection",
"url": "https://unprotect.it/technique/extra-window-memory-injection/"
},
{
"id": 118,
"name": "PE Injection",
"url": "https://unprotect.it/technique/pe-injection/"
},
{
"id": 125,
"name": "NOP Sled",
"url": "https://unprotect.it/technique/nop-sled/"
},
{
"id": 153,
"name": "ConsoleWindowClass",
"url": "https://unprotect.it/technique/consolewindowclass/"
},
{
"id": 154,
"name": "Treepoline",
"url": "https://unprotect.it/technique/treepoline/"
},
{
"id": 155,
"name": "Listplanting",
"url": "https://unprotect.it/technique/listplanting/"
},
{
"id": 156,
"name": "OLEUM",
"url": "https://unprotect.it/technique/oleum/"
},
{
"id": 157,
"name": "EditWordBreakProc",
"url": "https://unprotect.it/technique/editwordbreakproc/"
},
{
"id": 158,
"name": "WordWarping",
"url": "https://unprotect.it/technique/wordwarping/"
},
{
"id": 160,
"name": "CLIPBRDWNDCLASS",
"url": "https://unprotect.it/technique/clipbrdwndclass/"
},
{
"id": 161,
"name": "DNS API Injection",
"url": "https://unprotect.it/technique/dns-api-injection/"
},
{
"id": 162,
"name": "Breaking BaDDEr",
"url": "https://unprotect.it/technique/breaking-badder/"
},
{
"id": 167,
"name": "File Melt",
"url": "https://unprotect.it/technique/file-melt/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
},
{
"id": 178,
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"url": "https://unprotect.it/technique/procenvinjection-remote-code-injection-by-abusing-process-environment-strings/"
},
{
"id": 181,
"name": "Shellcode Injection via CreateThreadpoolWait",
"url": "https://unprotect.it/technique/shellcode-injection-via-createthreadpoolwait/"
},
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
},
{
"id": 221,
"name": "Tamper DLL Export Names & GetProcAddress Spoofing",
"url": "https://unprotect.it/technique/tamper-dll-export-names-getprocaddress-spoofing/"
},
{
"id": 223,
"name": "Dirty Vanity",
"url": "https://unprotect.it/technique/dirty-vanity/"
},
{
"id": 359,
"name": "FuncIn",
"url": "https://unprotect.it/technique/funcin/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/4/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "VirtualAllocEx",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 93,
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"url": "https://unprotect.it/technique/dll-injection-via-createremotethread-and-loadlibrary/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 115,
"name": "Extra Window Memory Injection",
"url": "https://unprotect.it/technique/extra-window-memory-injection/"
},
{
"id": 118,
"name": "PE Injection",
"url": "https://unprotect.it/technique/pe-injection/"
},
{
"id": 153,
"name": "ConsoleWindowClass",
"url": "https://unprotect.it/technique/consolewindowclass/"
},
{
"id": 154,
"name": "Treepoline",
"url": "https://unprotect.it/technique/treepoline/"
},
{
"id": 155,
"name": "Listplanting",
"url": "https://unprotect.it/technique/listplanting/"
},
{
"id": 156,
"name": "OLEUM",
"url": "https://unprotect.it/technique/oleum/"
},
{
"id": 157,
"name": "EditWordBreakProc",
"url": "https://unprotect.it/technique/editwordbreakproc/"
},
{
"id": 158,
"name": "WordWarping",
"url": "https://unprotect.it/technique/wordwarping/"
},
{
"id": 160,
"name": "CLIPBRDWNDCLASS",
"url": "https://unprotect.it/technique/clipbrdwndclass/"
},
{
"id": 161,
"name": "DNS API Injection",
"url": "https://unprotect.it/technique/dns-api-injection/"
},
{
"id": 162,
"name": "Breaking BaDDEr",
"url": "https://unprotect.it/technique/breaking-badder/"
},
{
"id": 167,
"name": "File Melt",
"url": "https://unprotect.it/technique/file-melt/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
},
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
},
{
"id": 223,
"name": "Dirty Vanity",
"url": "https://unprotect.it/technique/dirty-vanity/"
},
{
"id": 359,
"name": "FuncIn",
"url": "https://unprotect.it/technique/funcin/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/5/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "VirtualAllocExNuma",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocexnuma?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 93,
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"url": "https://unprotect.it/technique/dll-injection-via-createremotethread-and-loadlibrary/"
},
{
"id": 359,
"name": "FuncIn",
"url": "https://unprotect.it/technique/funcin/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/6/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "WriteProcessMemory",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 61,
"name": "IsDebugged Flag",
"url": "https://unprotect.it/technique/isdebugged-flag/"
},
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 93,
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"url": "https://unprotect.it/technique/dll-injection-via-createremotethread-and-loadlibrary/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 115,
"name": "Extra Window Memory Injection",
"url": "https://unprotect.it/technique/extra-window-memory-injection/"
},
{
"id": 118,
"name": "PE Injection",
"url": "https://unprotect.it/technique/pe-injection/"
},
{
"id": 153,
"name": "ConsoleWindowClass",
"url": "https://unprotect.it/technique/consolewindowclass/"
},
{
"id": 154,
"name": "Treepoline",
"url": "https://unprotect.it/technique/treepoline/"
},
{
"id": 155,
"name": "Listplanting",
"url": "https://unprotect.it/technique/listplanting/"
},
{
"id": 156,
"name": "OLEUM",
"url": "https://unprotect.it/technique/oleum/"
},
{
"id": 157,
"name": "EditWordBreakProc",
"url": "https://unprotect.it/technique/editwordbreakproc/"
},
{
"id": 158,
"name": "WordWarping",
"url": "https://unprotect.it/technique/wordwarping/"
},
{
"id": 160,
"name": "CLIPBRDWNDCLASS",
"url": "https://unprotect.it/technique/clipbrdwndclass/"
},
{
"id": 161,
"name": "DNS API Injection",
"url": "https://unprotect.it/technique/dns-api-injection/"
},
{
"id": 162,
"name": "Breaking BaDDEr",
"url": "https://unprotect.it/technique/breaking-badder/"
},
{
"id": 167,
"name": "File Melt",
"url": "https://unprotect.it/technique/file-melt/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
},
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
},
{
"id": 223,
"name": "Dirty Vanity",
"url": "https://unprotect.it/technique/dirty-vanity/"
},
{
"id": 358,
"name": "Process Argument Spoofing",
"url": "https://unprotect.it/technique/process-argument-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/11/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "CreateProcessA",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 167,
"name": "File Melt",
"url": "https://unprotect.it/technique/file-melt/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/12/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "CreateProcessW",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 167,
"name": "File Melt",
"url": "https://unprotect.it/technique/file-melt/"
},
{
"id": 178,
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"url": "https://unprotect.it/technique/procenvinjection-remote-code-injection-by-abusing-process-environment-strings/"
},
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/13/?format=api",
"library": {
"id": 2,
"name": "NTDLL.DLL",
"description": ""
},
"name": "NtCreateSection",
"ref_link": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatesection?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 119,
"name": "Process Doppelgänging",
"url": "https://unprotect.it/technique/process-doppelganging/"
},
{
"id": 170,
"name": "Process Herpaderping",
"url": "https://unprotect.it/technique/process-herpaderping/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/14/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "NtMapViewOfSection",
"ref_link": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/15/?format=api",
"library": {
"id": 2,
"name": "NTDLL.DLL",
"description": ""
},
"name": "NtUnmapViewOfSection",
"ref_link": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwunmapviewofsection?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/17/?format=api",
"library": {
"id": 2,
"name": "NTDLL.DLL",
"description": ""
},
"name": "NtTestAlert",
"ref_link": "http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtAlertThread.html",
"from_msdn": false,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/18/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "OpenThread",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthread?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 109,
"name": "SuspendThread",
"url": "https://unprotect.it/technique/suspendthread/"
},
{
"id": 111,
"name": "Thread Execution Hijacking",
"url": "https://unprotect.it/technique/thread-execution-hijacking/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 172,
"name": "Killing Windows Event Log",
"url": "https://unprotect.it/technique/killing-windows-event-log/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/19/?format=api",
"library": {
"id": 2,
"name": "NTDLL.DLL",
"description": ""
},
"name": "MapViewOfSection",
"ref_link": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/21/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "QueueUserAPC",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/22/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "ResumeThread",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-resumethread?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 55,
"name": "NtSetInformationThread",
"url": "https://unprotect.it/technique/ntsetinformationthread/"
},
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
},
{
"id": 178,
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"url": "https://unprotect.it/technique/procenvinjection-remote-code-injection-by-abusing-process-environment-strings/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/24/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "OpenProcess",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 59,
"name": "CsrGetProcessID",
"url": "https://unprotect.it/technique/csrgetprocessid/"
},
{
"id": 61,
"name": "IsDebugged Flag",
"url": "https://unprotect.it/technique/isdebugged-flag/"
},
{
"id": 63,
"name": "NtGlobalFlag",
"url": "https://unprotect.it/technique/ntglobalflag/"
},
{
"id": 67,
"name": "Detecting Window with FindWindow API",
"url": "https://unprotect.it/technique/detecting-window-with-findwindow-api/"
},
{
"id": 68,
"name": "Detecting Running Process: EnumProcess API",
"url": "https://unprotect.it/technique/detecting-running-process-enumprocess-api/"
},
{
"id": 93,
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"url": "https://unprotect.it/technique/dll-injection-via-createremotethread-and-loadlibrary/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 115,
"name": "Extra Window Memory Injection",
"url": "https://unprotect.it/technique/extra-window-memory-injection/"
},
{
"id": 118,
"name": "PE Injection",
"url": "https://unprotect.it/technique/pe-injection/"
},
{
"id": 131,
"name": "Kill Process",
"url": "https://unprotect.it/technique/kill-process/"
},
{
"id": 153,
"name": "ConsoleWindowClass",
"url": "https://unprotect.it/technique/consolewindowclass/"
},
{
"id": 154,
"name": "Treepoline",
"url": "https://unprotect.it/technique/treepoline/"
},
{
"id": 155,
"name": "Listplanting",
"url": "https://unprotect.it/technique/listplanting/"
},
{
"id": 156,
"name": "OLEUM",
"url": "https://unprotect.it/technique/oleum/"
},
{
"id": 157,
"name": "EditWordBreakProc",
"url": "https://unprotect.it/technique/editwordbreakproc/"
},
{
"id": 158,
"name": "WordWarping",
"url": "https://unprotect.it/technique/wordwarping/"
},
{
"id": 160,
"name": "CLIPBRDWNDCLASS",
"url": "https://unprotect.it/technique/clipbrdwndclass/"
},
{
"id": 161,
"name": "DNS API Injection",
"url": "https://unprotect.it/technique/dns-api-injection/"
},
{
"id": 162,
"name": "Breaking BaDDEr",
"url": "https://unprotect.it/technique/breaking-badder/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 172,
"name": "Killing Windows Event Log",
"url": "https://unprotect.it/technique/killing-windows-event-log/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
},
{
"id": 178,
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"url": "https://unprotect.it/technique/procenvinjection-remote-code-injection-by-abusing-process-environment-strings/"
},
{
"id": 223,
"name": "Dirty Vanity",
"url": "https://unprotect.it/technique/dirty-vanity/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/26/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "Process32First",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32first?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 90,
"name": "Parent Process Detection",
"url": "https://unprotect.it/technique/parent-process-detection/"
},
{
"id": 109,
"name": "SuspendThread",
"url": "https://unprotect.it/technique/suspendthread/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 131,
"name": "Kill Process",
"url": "https://unprotect.it/technique/kill-process/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/27/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "Process32Next",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32next?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 90,
"name": "Parent Process Detection",
"url": "https://unprotect.it/technique/parent-process-detection/"
},
{
"id": 109,
"name": "SuspendThread",
"url": "https://unprotect.it/technique/suspendthread/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 131,
"name": "Kill Process",
"url": "https://unprotect.it/technique/kill-process/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/28/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "CreateToolhelp32Snapshot",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 90,
"name": "Parent Process Detection",
"url": "https://unprotect.it/technique/parent-process-detection/"
},
{
"id": 109,
"name": "SuspendThread",
"url": "https://unprotect.it/technique/suspendthread/"
},
{
"id": 111,
"name": "Thread Execution Hijacking",
"url": "https://unprotect.it/technique/thread-execution-hijacking/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 131,
"name": "Kill Process",
"url": "https://unprotect.it/technique/kill-process/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 172,
"name": "Killing Windows Event Log",
"url": "https://unprotect.it/technique/killing-windows-event-log/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/29/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "Thread32First",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-thread32first?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 109,
"name": "SuspendThread",
"url": "https://unprotect.it/technique/suspendthread/"
},
{
"id": 111,
"name": "Thread Execution Hijacking",
"url": "https://unprotect.it/technique/thread-execution-hijacking/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 172,
"name": "Killing Windows Event Log",
"url": "https://unprotect.it/technique/killing-windows-event-log/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/30/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "Thread32Next",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-thread32next?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 109,
"name": "SuspendThread",
"url": "https://unprotect.it/technique/suspendthread/"
},
{
"id": 111,
"name": "Thread Execution Hijacking",
"url": "https://unprotect.it/technique/thread-execution-hijacking/"
},
{
"id": 113,
"name": "APC injection",
"url": "https://unprotect.it/technique/apc-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 172,
"name": "Killing Windows Event Log",
"url": "https://unprotect.it/technique/killing-windows-event-log/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/31/?format=api",
"library": {
"id": 3,
"name": "Advapi32.lib",
"description": "Advapi32.lib is a dynamic-link library (DLL) in Windows operating system. It provides a set of APIs (Application Programming Interfaces) that allow applications to perform various security-related operations, such as:\r\n\r\n* Managing user accounts and access control\r\n* Reading and writing to the Windows registry\r\n* Encrypting and decrypting data\r\n* Logging security events in the Windows event log\r\n* Performing operations with digital certificates and signatures.\r\n\r\nIn other words, Advapi32.lib provides a high-level interface for managing security and access control in Windows, making it easier for developers to build secure applications."
},
"name": "CreateServiceA",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 215,
"name": "Windows Event Log Evasion via Native APIs",
"url": "https://unprotect.it/technique/windows-event-log-evasion-via-native-apis/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/32/?format=api",
"library": {
"id": 3,
"name": "Advapi32.lib",
"description": "Advapi32.lib is a dynamic-link library (DLL) in Windows operating system. It provides a set of APIs (Application Programming Interfaces) that allow applications to perform various security-related operations, such as:\r\n\r\n* Managing user accounts and access control\r\n* Reading and writing to the Windows registry\r\n* Encrypting and decrypting data\r\n* Logging security events in the Windows event log\r\n* Performing operations with digital certificates and signatures.\r\n\r\nIn other words, Advapi32.lib provides a high-level interface for managing security and access control in Windows, making it easier for developers to build secure applications."
},
"name": "StartServiceA",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/117/?format=api",
"library": {
"id": 11,
"name": "user32.dll",
"description": ""
},
"name": "UnhookWindowsHookEx",
"ref_link": null,
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 92,
"name": "Hook Injection",
"url": "https://unprotect.it/technique/hook-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/131/?format=api",
"library": {
"id": 11,
"name": "user32.dll",
"description": ""
},
"name": "CallNextHookEx",
"ref_link": null,
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 92,
"name": "Hook Injection",
"url": "https://unprotect.it/technique/hook-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/183/?format=api",
"library": {
"id": 11,
"name": "user32.dll",
"description": ""
},
"name": "GetDesktopWindow",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 31,
"name": "Checking Screen Resolution",
"url": "https://unprotect.it/technique/checking-screen-resolution/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/198/?format=api",
"library": {
"id": 11,
"name": "user32.dll",
"description": ""
},
"name": "GetClipboardFormatNameW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/229/?format=api",
"library": {
"id": 11,
"name": "user32.dll",
"description": ""
},
"name": "GetClipboardData",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 156,
"name": "OLEUM",
"url": "https://unprotect.it/technique/oleum/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/313/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegSetValueExW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
},
{
"id": 376,
"name": "AppInit DLL Injection",
"url": "https://unprotect.it/technique/appinit-dll-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/314/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegConnectRegistryW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/315/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegEnumKeyExW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 32,
"name": "Checking Installed Software",
"url": "https://unprotect.it/technique/checking-installed-software/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/316/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegLoadKeyW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/317/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "AdjustTokenPrivileges",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/320/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "OpenProcessToken",
"ref_link": null,
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/321/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegOpenKeyExW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 6,
"name": "Detecting Active Services",
"url": "https://unprotect.it/technique/detecting-active-services/"
},
{
"id": 32,
"name": "Checking Installed Software",
"url": "https://unprotect.it/technique/checking-installed-software/"
},
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
},
{
"id": 376,
"name": "AppInit DLL Injection",
"url": "https://unprotect.it/technique/appinit-dll-injection/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/322/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegQueryInfoKeyW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/328/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegQueryValueExW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 32,
"name": "Checking Installed Software",
"url": "https://unprotect.it/technique/checking-installed-software/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/329/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegEnumValueW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 208,
"name": "NLS Code Injection Through Registry",
"url": "https://unprotect.it/technique/nls-code-injection-through-registry/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/332/?format=api",
"library": {
"id": 14,
"name": "advapi32.dll",
"description": ""
},
"name": "RegCreateKeyExW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/357/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "ReadProcessMemory",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 61,
"name": "IsDebugged Flag",
"url": "https://unprotect.it/technique/isdebugged-flag/"
},
{
"id": 88,
"name": "Process Hollowing, RunPE",
"url": "https://unprotect.it/technique/process-hollowing-runpe/"
},
{
"id": 110,
"name": "Reflective DLL injection",
"url": "https://unprotect.it/technique/reflective-dll-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 115,
"name": "Extra Window Memory Injection",
"url": "https://unprotect.it/technique/extra-window-memory-injection/"
},
{
"id": 153,
"name": "ConsoleWindowClass",
"url": "https://unprotect.it/technique/consolewindowclass/"
},
{
"id": 156,
"name": "OLEUM",
"url": "https://unprotect.it/technique/oleum/"
},
{
"id": 161,
"name": "DNS API Injection",
"url": "https://unprotect.it/technique/dns-api-injection/"
},
{
"id": 162,
"name": "Breaking BaDDEr",
"url": "https://unprotect.it/technique/breaking-badder/"
},
{
"id": 170,
"name": "Process Herpaderping",
"url": "https://unprotect.it/technique/process-herpaderping/"
},
{
"id": 178,
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"url": "https://unprotect.it/technique/procenvinjection-remote-code-injection-by-abusing-process-environment-strings/"
},
{
"id": 358,
"name": "Process Argument Spoofing",
"url": "https://unprotect.it/technique/process-argument-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/360/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "IsDebuggerPresent",
"ref_link": null,
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 52,
"name": "IsDebuggerPresent",
"url": "https://unprotect.it/technique/isdebuggerpresent/"
},
{
"id": 55,
"name": "NtSetInformationThread",
"url": "https://unprotect.it/technique/ntsetinformationthread/"
},
{
"id": 73,
"name": "Interrupts",
"url": "https://unprotect.it/technique/interrupts/"
},
{
"id": 74,
"name": "INT3 Instruction Scanning",
"url": "https://unprotect.it/technique/int3-instruction-scanning/"
},
{
"id": 212,
"name": "INT 0x2D",
"url": "https://unprotect.it/technique/int-0x2d/"
},
{
"id": 213,
"name": "ICE 0xF1",
"url": "https://unprotect.it/technique/ice-0xf1/"
},
{
"id": 214,
"name": "Trap Flag",
"url": "https://unprotect.it/technique/trap-flag/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/365/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "HeapAlloc",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 110,
"name": "Reflective DLL injection",
"url": "https://unprotect.it/technique/reflective-dll-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 173,
"name": "Access Token Manipulation: Parent PID Spoofing",
"url": "https://unprotect.it/technique/access-token-manipulation-parent-pid-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/386/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "FindResourceW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/403/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "UnhandledExceptionFilter",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 71,
"name": "Unhandled Exception Filter",
"url": "https://unprotect.it/technique/unhandled-exception-filter/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/404/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "VirtualQuery",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 221,
"name": "Tamper DLL Export Names & GetProcAddress Spoofing",
"url": "https://unprotect.it/technique/tamper-dll-export-names-getprocaddress-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/406/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "VirtualQueryEx",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/412/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "SuspendThread",
"ref_link": null,
"from_msdn": true,
"caution_level": "high",
"description": "",
"featured_in": [
{
"id": 109,
"name": "SuspendThread",
"url": "https://unprotect.it/technique/suspendthread/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 172,
"name": "Killing Windows Event Log",
"url": "https://unprotect.it/technique/killing-windows-event-log/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/413/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "GetTickCount",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 65,
"name": "GetTickCount",
"url": "https://unprotect.it/technique/gettickcount/"
},
{
"id": 161,
"name": "DNS API Injection",
"url": "https://unprotect.it/technique/dns-api-injection/"
},
{
"id": 215,
"name": "Windows Event Log Evasion via Native APIs",
"url": "https://unprotect.it/technique/windows-event-log-evasion-via-native-apis/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/425/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "GetProcAddress",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 55,
"name": "NtSetInformationThread",
"url": "https://unprotect.it/technique/ntsetinformationthread/"
},
{
"id": 56,
"name": "NtQueryObject",
"url": "https://unprotect.it/technique/ntqueryobject/"
},
{
"id": 59,
"name": "CsrGetProcessID",
"url": "https://unprotect.it/technique/csrgetprocessid/"
},
{
"id": 61,
"name": "IsDebugged Flag",
"url": "https://unprotect.it/technique/isdebugged-flag/"
},
{
"id": 63,
"name": "NtGlobalFlag",
"url": "https://unprotect.it/technique/ntglobalflag/"
},
{
"id": 75,
"name": "API Obfuscation",
"url": "https://unprotect.it/technique/api-obfuscation/"
},
{
"id": 93,
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"url": "https://unprotect.it/technique/dll-injection-via-createremotethread-and-loadlibrary/"
},
{
"id": 107,
"name": "NtSetDebugFilterState",
"url": "https://unprotect.it/technique/ntsetdebugfilterstate/"
},
{
"id": 110,
"name": "Reflective DLL injection",
"url": "https://unprotect.it/technique/reflective-dll-injection/"
},
{
"id": 114,
"name": "Atom Bombing",
"url": "https://unprotect.it/technique/atom-bombing/"
},
{
"id": 115,
"name": "Extra Window Memory Injection",
"url": "https://unprotect.it/technique/extra-window-memory-injection/"
},
{
"id": 116,
"name": "Injection using Shims",
"url": "https://unprotect.it/technique/injection-using-shims/"
},
{
"id": 124,
"name": "Inline Hooking",
"url": "https://unprotect.it/technique/inline-hooking/"
},
{
"id": 131,
"name": "Kill Process",
"url": "https://unprotect.it/technique/kill-process/"
},
{
"id": 136,
"name": "NTFS Files Attributes",
"url": "https://unprotect.it/technique/ntfs-files-attributes/"
},
{
"id": 165,
"name": "Indicator Removal: Timestomp",
"url": "https://unprotect.it/technique/indicator-removal-timestomp/"
},
{
"id": 167,
"name": "File Melt",
"url": "https://unprotect.it/technique/file-melt/"
},
{
"id": 168,
"name": "Detecting Online Sandbox",
"url": "https://unprotect.it/technique/detecting-online-sandbox/"
},
{
"id": 172,
"name": "Killing Windows Event Log",
"url": "https://unprotect.it/technique/killing-windows-event-log/"
},
{
"id": 177,
"name": "Disabling Event Tracing for Windows (ETW)",
"url": "https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/"
},
{
"id": 178,
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"url": "https://unprotect.it/technique/procenvinjection-remote-code-injection-by-abusing-process-environment-strings/"
},
{
"id": 180,
"name": "Thwarting Stack-Frame Analysis",
"url": "https://unprotect.it/technique/thwarting-stack-frame-analysis/"
},
{
"id": 182,
"name": "Unloading Sysmon Driver",
"url": "https://unprotect.it/technique/unloading-sysmon-driver/"
},
{
"id": 221,
"name": "Tamper DLL Export Names & GetProcAddress Spoofing",
"url": "https://unprotect.it/technique/tamper-dll-export-names-getprocaddress-spoofing/"
},
{
"id": 223,
"name": "Dirty Vanity",
"url": "https://unprotect.it/technique/dirty-vanity/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/428/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "HeapCreate",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/447/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "EnumResourceNamesW",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/471/?format=api",
"library": {
"id": 27,
"name": "ole32.dll",
"description": ""
},
"name": "OleGetClipboard",
"ref_link": null,
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": []
},
{
"url": "https://unprotect.it/api/featured_api/593/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "AddVectoredExceptionHandler",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler?WT.mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "The AddVectoredExceptionHandler function is used to register a vectored exception handler in a Windows program. This function allows a developer to specify a function to be called when an exception occurs in the program. The function takes two parameters:\r\n\r\nFirst: an integer value that specifies the order in which the handler should be called. If this parameter is nonzero, the handler is the first to be called, otherwise, it is the last to be called.\r\n\r\nHandler: a pointer to the handler function that should be called. This function should take one parameter, which is a pointer to an EXCEPTION_POINTERS structure that contains information about the exception.\r\n\r\nIf the function succeeds, it returns a handle to the exception handler. If it fails, it returns NULL.",
"featured_in": [
{
"id": 212,
"name": "INT 0x2D",
"url": "https://unprotect.it/technique/int-0x2d/"
},
{
"id": 214,
"name": "Trap Flag",
"url": "https://unprotect.it/technique/trap-flag/"
},
{
"id": 340,
"name": "AddVectoredExceptionHandler",
"url": "https://unprotect.it/technique/addvectoredexceptionhandler/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/603/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "InternetOpenW",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenw?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/604/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "InternetConnectW",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetconnectw?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/606/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "FtpOpenFileW",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-ftpopenfilew?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/607/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "InternetWriteFile",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetwritefile?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/608/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "InternetReadFile",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetreadfile?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/610/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "FtpGetCurrentDirectoryW",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-ftpgetcurrentdirectoryw?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/613/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "InternetOpenA",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopena?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/614/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "InternetConnectA",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetconnecta?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/616/?format=api",
"library": {
"id": 29,
"name": "Wininet.dll",
"description": ""
},
"name": "FtpOpenFileA",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-ftpopenfilea?WT_mc_id=DSEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 353,
"name": "C2 via FTP(S)",
"url": "https://unprotect.it/technique/c2-via-ftps/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/620/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "CreateNamedPipeW",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-createnamedpipew?WT_mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 357,
"name": "SMB / Named Pipes",
"url": "https://unprotect.it/technique/smb-named-pipes/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/621/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "CreateNamedPipeA",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea?WT_mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 357,
"name": "SMB / Named Pipes",
"url": "https://unprotect.it/technique/smb-named-pipes/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/622/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "ConnectNamedPipe",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-connectnamedpipe?WT_mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 357,
"name": "SMB / Named Pipes",
"url": "https://unprotect.it/technique/smb-named-pipes/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/624/?format=api",
"library": {
"id": 1,
"name": "Kernel32.dll",
"description": ""
},
"name": "CallNamedPipeW",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-callnamedpipew?WT_mc_id=SEC-MVP-5005282",
"from_msdn": true,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 357,
"name": "SMB / Named Pipes",
"url": "https://unprotect.it/technique/smb-named-pipes/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/625/?format=api",
"library": {
"id": 2,
"name": "NTDLL.DLL",
"description": ""
},
"name": "NtQueryInformationProcess",
"ref_link": "https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess",
"from_msdn": true,
"caution_level": "high",
"description": "GPT\r\nThe NtQueryInformationProcess function, along with the data structures it provides, are internal to Windows and can change with different versions of the operating system. To ensure your application remains compatible, it's better to use the public functions recommended in the ProcessInformationClass parameter's description.\r\n\r\nIf you still choose to use NtQueryInformationProcess, access it through run-time dynamic linking. This method allows your code to adapt if the function is altered or removed in future Windows releases. Be aware, though, that changes in the function's signature might not be detectable.\r\n\r\nThis function isn't included in any import library. To use it, you need to dynamically link to Ntdll.dll using the LoadLibrary and GetProcAddress functions.",
"featured_in": [
{
"id": 358,
"name": "Process Argument Spoofing",
"url": "https://unprotect.it/technique/process-argument-spoofing/"
}
]
},
{
"url": "https://unprotect.it/api/featured_api/629/?format=api",
"library": {
"id": 2,
"name": "NTDLL.DLL",
"description": ""
},
"name": "NtDelayExecution",
"ref_link": "http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtDelayExecution.html",
"from_msdn": false,
"caution_level": "medium",
"description": "",
"featured_in": [
{
"id": 371,
"name": "NtDelayExecution",
"url": "https://unprotect.it/technique/ntdelayexecution/"
}
]
}
]