GET /api/techniques/151/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 151,
"key": "getforegroundwindow",
"unprotect_id": "U1301",
"name": "GetForegroundWindow",
"description": "This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.\r\n\r\nIt accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by another call to GetForegroundWindow. If the foreground window has not changed, the malware assumes it is in a sandbox or analysis virtual machine and will continue this loop until the foreground window changes. If there is no change, the program will loop indefinitely or may make a call to ExitProcess.",
"resources": "https://archive.f-secure.com/weblog/archives/00002810.html",
"creation_date": "2020-10-01T11:39:03Z",
"tags": "GetForegroundWindow",
"modification_date": "2023-10-04T10:42:43.425000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
25,
133,
236,
290
],
"contributors": []
}
