GET /api/techniques/341/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 341,
"key": "unloading-module-with-freelibrary",
"unprotect_id": "U0519",
"name": "Unloading Module with FreeLibrary",
"description": "Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.\r\n\r\nTo do this, the malware first uses the `GetModuleHandleA` function to retrieve a handle to the DLL, if it's already loaded. Once it has a valid handle, the malware then calls the `FreeLibrary` function to free and unload the DLL from memory.\r\n\r\nBy unloading the AV/EDR DLL, the malware can avoid detection and carry out its malicious activities without being monitored or blocked by the security software. However, it is important to note that this technique only affects user-mode components of an EDR and not kernel components. Additionally, modern EDR systems have evolved to detect such evasive techniques and prevent malware from disabling them.",
"resources": "http://malwarejake.blogspot.com/2013/07/interesting-malware-defense.html\nhttps://rstforums.com/forum/topic/110743-make-your-dynamic-module-unfreeable-anti-freelibrary/\nhttps://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
"creation_date": "2023-03-19T22:08:54.336000Z",
"tags": "Malware, AV/EDR, detection, DLL, address space, unload, GetModuleHandleA, FreeLibrary,",
"modification_date": "2023-10-04T10:44:48.899000Z",
"category": [
2
],
"rules": [
133
],
"attachments": [],
"featured_api": [
375,
376
],
"contributors": []
}
