HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": "https://unprotect.it/api/techniques/?format=api&page=5",
"previous": "https://unprotect.it/api/techniques/?format=api&page=3",
"results": [
{
"id": 243,
"key": "hide-artifacts-hidden-file-system",
"unprotect_id": "T1564.005",
"name": "Hide Artifacts: Hidden File System",
"description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.\r\n\r\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions. Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system. Adversaries may also fragment files across the existing file system structure in non-standard ways.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/005/",
"creation_date": "2023-01-31T01:55:59.336000Z",
"tags": "Defense Evasion,\r\nFAT, \r\nNTFS, \r\next4, \r\nAPFS,\r\nVolume Boot Record (VBR),\r\nMaster File Table (MFT),\r\nvirtual file systems,\r\nportable partition image,\r\nreserved disk space,\r\nfile fragmentation,",
"modification_date": "2023-10-04T10:44:08.518000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 242,
"key": "hide-artifacts-ntfs-file-attributes",
"unprotect_id": "T1564.004",
"name": "Hide Artifacts: NTFS File Attributes",
"description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). \r\n\r\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/004/",
"creation_date": "2023-01-31T01:52:26.125000Z",
"tags": "Defense Evasion,\r\nNew Technology File System (NTFS),\r\nMaster File Table (MFT),\r\nExtended Attributes (EA),\r\nAlternate Data Streams (ADSs),\r\nattribute metadata,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:05.485000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 241,
"key": "hide-artifacts-hidden-window",
"unprotect_id": "T1564.003",
"name": "Hide Artifacts: Hidden Window",
"description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.\r\n\r\nOn Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. \r\n\r\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/003/",
"creation_date": "2023-01-31T01:47:46.570000Z",
"tags": "Defense Evasion,\r\n-WindowStyle Hidden,\r\nsupress windows,\r\nAPT19,\r\nAPT28,\r\nAPT3,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:57.218000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 240,
"key": "hide-artifacts-hidden-users",
"unprotect_id": "T1564.002",
"name": "Hide Artifacts: Hidden Users",
"description": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.\r\n\r\nAdversaries may hide user accounts in Windows. Adversaries can set the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/002/",
"creation_date": "2023-01-31T01:41:37.835000Z",
"tags": "Defense Evasion,\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\r\nDragonfly,\r\nsupress users from login screen,",
"modification_date": "2023-10-04T10:43:35.458000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 239,
"key": "hide-artifacts-hidden-files-and-directories",
"unprotect_id": "T1564.001",
"name": "Hide Artifacts: Hidden Files and Directories",
"description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows).\r\n\r\nUsers can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\r\n\r\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/001/",
"creation_date": "2023-01-31T01:37:25.064000Z",
"tags": "Defense Evasion,\r\nhidden files,\r\nhidden folders,\r\nattrib.exe,\r\n.ssh,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:08.273000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 238,
"key": "windows-file-and-directory-permissions-modification",
"unprotect_id": "T1222.001",
"name": "Windows File and Directory Permissions Modification",
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\r\n\r\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs). Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.\r\n\r\nAdversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1222/001/",
"creation_date": "2023-01-31T01:31:58.384000Z",
"tags": "Defense Evasion,\r\nPersistence,\r\nevade access control lists (ACLs),\r\nicacls, \r\ncacls, \r\ntakeown, \r\nattrib,\r\nHijack Execution Flow,\r\nDiscretionary Access Control Lists (DACLs),\r\nAccessibility Features, \r\nBoot Initialization Scripts,\r\nLogon Initialization Scripts,",
"modification_date": "2023-10-04T10:44:29.110000Z",
"category": [
10
],
"rules": [],
"attachments": [
"b913237e-4937-4062-9187-b752a00d818c"
],
"featured_api": [],
"contributors": []
},
{
"id": 237,
"key": "domain-member",
"unprotect_id": "U1341",
"name": "Domain Member",
"description": "This technique determines if a host is a member of an Active Directory Domain without API calls. It helps prevent malicious payload execution in enterprise sandboxes that are not members of an Active Directory domain. The validation is done by checking the \"LoggonServer\" and \"ComputerName\" environment variables. If the host is logged into a domain controller, the \"LoggonServer\" value will contain the name of the logged-in server, otherwise both variables contain the same hostname. This information is stored in the process memory, allowing for undetectable domain membership validation without API calls.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2023-01-30T00:03:56.393000Z",
"tags": "technique, Active Directory Domain, enterprise sandboxes, malicious payload, LoggonServer, ComputerName, domain controller, hostname, process memory, undetectable, API calls",
"modification_date": "2023-01-30T00:03:56.393000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 236,
"key": "cpu-counting",
"unprotect_id": "U1340,B0009.018",
"name": "CPU Counting",
"description": "In many sandboxes, due to virtualization constraints, the number of CPUs may be limited to one. However, in the real world, all x86 CPUs have been sold with multiple cores or at least hyperthreading for over a decade. \r\n\r\nAs a result, it is sometimes possible to detect virtualization or sandboxing by examining the number of CPUs on the system. This information can be obtained without making API calls, simply by checking the PEB, which holds this information. The presence of hyperthreading can also be detected by directly asking the CPU using the CPUID instruction.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2023-01-29T23:58:47.355000Z",
"tags": "Sandbox, virtualization constraint, CPU count, workstations, servers, x86 CPU, multi-core, hyperthreading, virtualization detection, Windows API, WMI, registry, PEB, hyperthreading detection, CPUID instruction",
"modification_date": "2023-05-13T05:20:40.510000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 235,
"key": "return-address-spoofing",
"unprotect_id": "U0518",
"name": "Return Address Spoofing",
"description": "Return Address Spoofing is a technique used in x64 architecture to bypass the limitations of the x64 fastcall mechanism. The traditional method of spoofing return addresses in x86 (e.g. using a ret in a game module as a trampoline) is not feasible in x64 due to caller cleanup and red zone.\r\n\r\nTo overcome this, the code creates a temporary storage for the shellcode on the stack, where the address of a gadget and the called function are stored. An extra 8 bytes are reserved for the shellcode. The address of the storage is then passed to the shellcode, which reads the addresses, stores the original return address, the original content of the nonvolatile register (rbx), and the shellcode's return address.\r\n\r\nThe shellcode then jumps into the called function, which runs and returns to the gadget (jmp [rbx]). The remaining shellcode restores rbx, aligns the stack, and \"returns\" to the original return address using a jump instruction. This technique enables the shellcode to hide its presence from endpoint security software and memory scanners, while maintaining its malicious functionality.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html",
"creation_date": "2023-01-29T23:50:58.846000Z",
"tags": "",
"modification_date": "2023-10-04T10:45:01.928000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 234,
"key": "avoiding-memory-scanners-yara-pe-sieve",
"unprotect_id": "U1009",
"name": "Avoiding Memory Scanners (Yara, Pe-sieve...)",
"description": "Avoiding Memory Scanners is a technique that enables malware creators to bypass the detection of endpoint security software and reverse engineers by using memory scanning to locate shellcode and malware in Windows memory. \r\n\r\nThe technique involves understanding how memory scanners work and implementing a stable evasion method for each of the memory scanning tools, such as PE-sieve, MalMemDetect, Moneta, Volatility malfind, and YARA. The goal of this technique is to hide the presence of malware from these tools and maintain its malicious functionality.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://youtu.be/9z9PHSk2MsY\nhttps://github.com/kyleavery/AceLdr",
"creation_date": "2023-01-29T23:45:51.133000Z",
"tags": "YARA, PE-SIEVE, Monetta, Endpoint, Memory Scan",
"modification_date": "2023-10-04T10:43:03.446000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 233,
"key": "domain-policy-modification-domain-trust-modification",
"unprotect_id": "T1484.002",
"name": "Domain Policy Modification: Domain Trust Modification",
"description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\r\n\r\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1484/002/",
"creation_date": "2023-01-27T03:09:57.300000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nDomain trust details,\r\nadd fake certificate,\r\nSAML Tokens,\r\nfederated domain,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:07.474000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 232,
"key": "domain-policy-modification-group-policy-modification",
"unprotect_id": "T1484.001",
"name": "Domain Policy Modification: Group Policy Modification",
"description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.\r\n\r\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\r\n\r\nMalicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task/Job, Disable or Modify Tools, Ingress Tool Transfer, Create Account, Service Execution, and more. Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.\r\n\r\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task/Job by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.[3][4] In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1484/001/",
"creation_date": "2023-01-27T03:02:16.993000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nPersistence,\r\nGroup Policy Objects (GPOs),\r\nNew-GPOImmediateTask,\r\nScheduledTasks.xml,\r\nGptTmpl.inf,\r\nGPO modification privileges,\r\ndelegate GPO access control permissions,",
"modification_date": "2023-10-04T10:44:08.030000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 231,
"key": "access-token-manipulation-sid-history-injection",
"unprotect_id": "T1134.005",
"name": "Access Token Manipulation: SID-History Injection",
"description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\r\n\r\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1134/005/",
"creation_date": "2023-01-27T02:56:18.913000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nbypass access controls,\r\nWindows security identifier (SID)\r\nSID-History Active Directory,\r\nimpersonate users,\r\nlateral movement,\r\nMISC::AddSid, \r\nMimikatz,",
"modification_date": "2023-10-04T10:45:01.018000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 230,
"key": "access-token-manipulation-make-and-impersonate-token",
"unprotect_id": "T1134.003",
"name": "Access Token Manipulation: Make and Impersonate Token",
"description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1134/003/",
"creation_date": "2023-01-27T02:52:16.671000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nLogonUser,\r\nSetThreadToken,\r\nCobalt Strike,",
"modification_date": "2023-10-04T10:43:00.794000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 229,
"key": "access-token-manipulation-create-process-with-token",
"unprotect_id": "T1134.002",
"name": "Access Token Manipulation: Create Process with Token",
"description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.\r\n\r\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as Token Impersonation/Theft or Make and Impersonate Token).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1134/002/",
"creation_date": "2023-01-27T02:49:53.607000Z",
"tags": "Defense Evasion,\r\nPrivilege Escalation,\r\nCreateProcessWithTokenW,\r\nrunas,\r\nToken Impersonation,\r\nToken Theft,\r\nMake Token,\r\nImpersonate Token,",
"modification_date": "2023-10-04T10:44:05.237000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 228,
"key": "access-token-manipulation-token-impersonationtheft",
"unprotect_id": "T1134.001",
"name": "Access Token Manipulation: Token Impersonation/Theft",
"description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\r\n\r\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1134/001/",
"creation_date": "2023-01-27T02:44:10.190000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nToken impersonation, \r\nToken theft, \r\nDuplicateToken(Ex), \r\nImpersonateLoggedOnUser, \r\nSetThreadToken\r\nAPT28,",
"modification_date": "2023-10-04T10:44:04.019000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 226,
"key": "homograph-attack-punycode",
"unprotect_id": "U0909",
"name": "Homograph Attack (Punycode)",
"description": "A homograph attack is a type of phishing attack that uses homoglyphs (characters that look similar to other characters) to create domain names or URLs that appear to be legitimate, but are actually controlled by an attacker. Homograph attacks take advantage of the fact that many languages have characters that are visually similar to characters used in other languages.\r\n\r\nFor example, the letter \"a\" in the Latin alphabet and the character \"а\" in the Cyrillic alphabet are visually similar. An attacker can register a domain name using the Cyrillic \"а\" and create a website that looks like a legitimate website, but is actually controlled by the attacker.\r\n\r\nThe attack works by exploiting the way domain names are encoded in Punycode. Punycode is a way of representing Unicode characters with the limited character subset of ASCII used for Internet host names. This allows for domain names containing non-Latin characters, such as Chinese or Arabic, to be represented in an ASCII format that can be understood by systems that only support ASCII characters.\r\n\r\nThis means that an attacker can register a domain name that uses characters from different languages that look similar to characters from the Latin alphabet, like \"а\" instead of \"a\" and create a website that looks almost identical to a legitimate website.\r\n\r\nThese attacks are very similar to typosquatting. Browser vendors have implemented features to help protect users from homograph attacks by displaying the Punycode version of domain names containing non-Latin characters.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://en.wikipedia.org/wiki/IDN_homograph_attack\nhttps://en.wikipedia.org/wiki/Punycode\nhttps://blog.securitybreak.io/fifty-shades-of-malware-strings-d33b0c7bee99",
"creation_date": "2023-01-16T00:36:02.612000Z",
"tags": "Homograph attack, phishing attack, homoglyphs, domain names, URLs, legitimate, attacker, encoding, Punycode, Unicode characters, ASCII, Internet host names, non-Latin characters, Latin alphabet, Cyrillic alphabet, typosquatting,",
"modification_date": "2023-10-04T10:44:03.843000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 225,
"key": "domain-fronting",
"unprotect_id": "U0908, T1090.004",
"name": "Domain Fronting",
"description": "Domain fronting is a technique used to hide the true destination of internet traffic. It may be used to hide the real destination of an offensive payload or is could be used to bypass censorship or any form of network restriction. The technique may be used through CDN infrastructure or on any infrastructure that perform separation between SSL and http backend.\r\n\r\nIt involves SSL/TLS connection since it abuse of the destination requested in the SNI (Server Name Indication) field at SSL level at \"Front\" and the real hosname requested by the HOST header at the HTTP level. In clear you declare one destination at SSL level and another one at HTTP level. From an defender point on view you see only the SSL destination in the firewall logs and not the real final destination.\r\n\r\nAdditionally, some other headers may be used to facilitate domain fronting like \"X-Forwarded-Host\" and \"X-Originating-URL\". But these headers may vary depending on the implementation.\r\n\r\nSuch techniques were exploited by groups like APT29. Hovewer, some cloud providers like AWS, Google Cloud, and Cloudflare among others, have started to detect and block domain fronting attempts. Since then a new technics named domain hiding as been discovered. This is a complementary technique that as been presented by Erik Hunstad at defcon 2020. This techniques use the ESNI header in the TLS3.1 version.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://en.wikipedia.org/wiki/Domain_fronting\nhttps://attack.mitre.org/techniques/T1090/004/",
"creation_date": "2023-01-15T07:04:21.021000Z",
"tags": "Domain fronting,\r\nbypass censorship,\r\nnetwork restriction,\r\nSSL/TLS connection,\r\nSNI (Server Name Indication) field,\r\nX-Forwarded-Host,\r\nX-Originating-URL,\r\nAPT29,\r\nTLS3.1 version,",
"modification_date": "2023-10-04T10:45:00.870000Z",
"category": [
9,
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 224,
"key": "milfuscator",
"unprotect_id": "U1429",
"name": "Milfuscator",
"description": "Milfuscator is a tool used to obfuscate the code in a Portable Executable (PE) file by modifying and expanding the existing code in the \".text\" section, without creating any new sections. It does this using the Zydis and AsmJit libraries, and is based on the concept of code mutation from a P2C project for the game Counter-Strike: Global Offensive. The tool is an open-source project.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/nelfo/Milfuscator",
"creation_date": "2022-12-24T04:07:22.663000Z",
"tags": "Zydis,\r\nAsmJit,\r\nCode mutation,\r\nObfuscation,\r\nPacker,",
"modification_date": "2023-10-04T10:42:07.191000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 223,
"key": "dirty-vanity",
"unprotect_id": "U1242",
"name": "Dirty Vanity",
"description": "Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process. \r\n\r\nIt uses the `RtlCreateProcessReflection` or `NtCreateProcess[Ex]` primitives, along with the `PROCESS_VM_OPERATION`, `PROCESS_CREATE_THREAD`, and `PROCESS_DUP_HANDLE` flags to reflect and execute code in a new process. \r\n\r\nThe technique also makes use of various methods, such as `NtCreateSection` and `NtMapViewOfSection`, `VirtualAllocEx` and `WriteProcessMemory`, and `NtSetContextThread` (also known as Ghost Writing), to write the injected code into the new process. \r\n\r\nThis technique is designed to evade detection by endpoint security solutions, as the injected code appears to have been written to the new process, rather than being injected from an external source.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/deepinstinct/Dirty-Vanity\nhttps://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf",
"creation_date": "2022-12-18T03:19:30.703000Z",
"tags": "Process injection,\r\nWindows forking,\r\nProcess reflection,\r\nSnapshotting,\r\nRtlCreateProcessReflection,\r\nNtCreateProcess,\r\nNtCreateProcessEx,\r\nFork,\r\nExecute,\r\nPROCESS_VM_OPERATION,\r\nPROCESS_CREATE_THREAD,\r\nPROCESS_DUP_HANDLE,\r\nNtCreateSection,\r\nNtMapViewOfSection,\r\nVirtualAllocEx,\r\nWriteProcessMemory\r\nNtSetContextThread,\r\nGhost Writing,",
"modification_date": "2023-10-04T10:43:30.875000Z",
"category": [
4
],
"rules": [],
"attachments": [
"21196959-579d-4561-b450-0f3453f4e91d"
],
"featured_api": [
3,
4,
6,
24,
425
],
"contributors": []
},
{
"id": 222,
"key": "mark-of-the-web-motw-bypass",
"unprotect_id": "U0517",
"name": "Mark-Of-The-Web (MOTW) Bypass",
"description": "Mark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer. When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream to indicate from which zone the file originates. It is used on Windows OS to trigger a Windows Defender SmartScreen detection and raise an alert to the user about the file. \r\n\r\nThe following ZoneId values may be used in a Zone.Identifier ADS:\r\n\r\n* 0 Local computer\r\n* 1 Local intranet\r\n* 2 Trusted sites\r\n* 3 Internet\r\n* 4 Restricted sites\r\n\r\nIn some cases, the Alternate Data Stream will be `SmartScreen` with the value `anaheim`. To bypass this security feature malware authors can use file format that does not manage the MOTW such as ISO or VHD file. \r\n\r\nUsing `git clone` can also be an alternative as a file cloned from GitHub with the Git client does not have a Zone.Identifier ADS.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\nhttps://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
"creation_date": "2022-10-20T01:29:37.644000Z",
"tags": "#MOTW",
"modification_date": "2023-10-04T10:42:22.593000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 221,
"key": "tamper-dll-export-names-getprocaddress-spoofing",
"unprotect_id": "U1241",
"name": "Tamper DLL Export Names & GetProcAddress Spoofing",
"description": "When a process is running, it is possible to change the results of the call to `GetProcAddress` API, for the exported functions of a module along with modifying the export's offsets and name at runtime. \r\n\r\nFor example, the offset of `kernel32.dll's` function `VirtualAlloc` can be change to the offset of another function. When `VirtualAlloc` is called (after getting its address from `GetProcAddress`), the second function will be called instead. \r\n\r\nTo achieve this, it is possible to use the WINAPI `MapAndLoad` from `ImageHlp.h`, then use `ImageDirectoryEntryToData` to get the list of exports. Then the `ImageRvaToVa` API can be used to retrieve each exported functions names offset; if desired the export name can be overwritten, resulting in calls to `GetProcAddress` with that export name to fail or be directed to another function.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2022-08-11T10:08:44.579000Z",
"tags": "",
"modification_date": "2022-12-06T02:29:18.282000Z",
"category": [
4
],
"rules": [
122
],
"attachments": [],
"featured_api": [
3,
404,
425
],
"contributors": []
},
{
"id": 220,
"key": "hijack-execution-flow-dll-search-order-hijacking",
"unprotect_id": "T1574.001",
"name": "Hijack Execution Flow: DLL Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\r\n\r\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. \r\n\r\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.\r\n\r\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/001/\nhttps://pentestlab.blog/2017/03/27/dll-hijacking/\nhttps://itm4n.github.io/windows-dll-hijacking-clarified/\nhttps://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0\nhttps://github.com/Sh0ckFR/DLLirant",
"creation_date": "2022-07-25T09:16:49.633000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nexecute malicious payloads,\r\ntrojan dynamic-link library files (DLLs) ,\r\nDLL preloading,\r\nbinary planting attacks,\r\nmimic legitimate DLL,\r\nDLL redirection,",
"modification_date": "2023-10-04T10:43:51.456000Z",
"category": [
10
],
"rules": [
123
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 219,
"key": "dll-proxying",
"unprotect_id": "U1240",
"name": "DLL Proxying",
"description": "DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL. \r\n\r\nWhen a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts as a proxy for the legitimate DLL. The malicious DLL will redirect function calls to the legitimate DLL, allowing the malware to execute its own code and perform malicious actions without the program realizing that it is not the legitimate DLL. \r\n\r\nThis technique allows the malware to operate stealthily and evade detection by security software, as the malicious DLL is designed to mimic the legitimate DLL. This makes it difficult for security software to differentiate between the legitimate and malicious DLLs, allowing the malware to continue to operate undetected.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence\nhttps://itm4n.github.io/dll-proxying/\nhttps://github.com/Sh0ckFR/DLLirant",
"creation_date": "2022-07-25T09:10:00.495000Z",
"tags": "DLL proxying,\r\nCode obfuscation,\r\nPersistence,\r\nDLL redirection,\r\nStealth operation,",
"modification_date": "2023-10-04T10:43:33.827000Z",
"category": [
4
],
"rules": [
124
],
"attachments": [],
"featured_api": [],
"contributors": [
21
]
},
{
"id": 218,
"key": "change-module-base-address-at-runtime",
"unprotect_id": "U1239",
"name": "Change Module Base Address at Runtime",
"description": "It is possible to change the `DllBase` of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address. \r\n\r\nThis is achieved by accessing the process PEB's member 'Ldr', in particular it has a member `InOrderMemoryLinks` which we can iterate through to get a list of the process's modules. On each iteration we get a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member PVOID `DllBase`, that can be overwritten with the new module base address.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2022-07-18T07:01:37.901000Z",
"tags": "",
"modification_date": "2022-07-18T07:01:37.901000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 217,
"key": "change-module-name-at-runtime",
"unprotect_id": "U1238",
"name": "Change Module Name at Runtime",
"description": "It is possible to change the name of the current process or any of its modules at runtime. This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member 'InOrderMemoryLinks' which we can iterate through to get a list of the process's modules. \r\n\r\nOn each iteration it gets a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member `UNICODE_STRING FullDllName`, which can be overwritten with the module name.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2022-07-18T06:56:56.957000Z",
"tags": "",
"modification_date": "2022-07-18T06:56:56.957000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 216,
"key": "flirt-signatures-evasion",
"unprotect_id": "U0220",
"name": "FLIRT Signatures Evasion",
"description": "FLIRT Signature evasion is a technique used by malware to hide malicious code inside legitimate functions from known libraries. FLIRT (Fast Library Identification and Recognition Technology) is a database that contains signature patterns for identifying known functions from legitimate libraries. \r\n\r\nMalware authors can abuse these signatures by modifying or adding specific bytes to the code, so that it appears to be a legitimate function when scanned by a FLIRT database. This can trick reverse engineering tools that rely on FLIRT signatures without performing further analysis, and make it more difficult for security analysts to identify and analyze the malware. \r\n\r\nBy using this technique, malware authors can evade detection and make their code more difficult to understand and analyze.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://hex-rays.com/products/ida/tech/flirt/in_depth/\nhttps://github.com/Maktm/FLIRTDB\nhttps://www.virustotal.com/gui/file/a41ba65405a032f4450ba80882cdd01d715d9d1684f4204050566be29a6dedb0",
"creation_date": "2022-07-01T07:35:35.174000Z",
"tags": "FLIRT (Fast Library Identification and Recognition Technology),\r\nSignature evasion,\r\nCode modification,\r\nLegitimate functions,",
"modification_date": "2023-10-04T10:43:35.037000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 215,
"key": "windows-event-log-evasion-via-native-apis",
"unprotect_id": "U0307",
"name": "Windows Event Log Evasion via Native APIs",
"description": "Attackers can leverage native Windows API calls to install malicious services without generating correlating entries in the event log. Using native APIs to install services instead of the standard API calls allow attackers to bypass security controls and event logging. This technique was utilised by Stuxnet.\r\n\r\nServices are typically created through a standard Windows API call `CreateServiceA` or `CreateService`. This API is also called by the service creating Windows native tool “sc.exe” to register a service on a machine. A call to this API subsequently generates entries in the event log which corresponds to the service creation event IDs. \r\n\r\nAttackers can create services without relying on the typical API call `CreateServiceA` by directly interacting with the Windows native API calls instead. For example, the `StartService` API will a make a call to the native API `NdrClientCall2` along with registering the service start events in the event logs. \r\n\r\nBy directly calling `NdrClientCall2` to start a service that’s had the registry keys manually created, the service is started and running, and no event logs are created allowing to evade forensic analysis. This will result in a malicious service running and without any event log entry. \r\n\r\nTo take this a step further, attackers can remove the evidence in the registry and any correlating evidence loaded in the memory of “services.exe”. This leaves with no registry artefacts and no event log information to analyse.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html",
"creation_date": "2022-06-27T10:44:00.403000Z",
"tags": "stuxnet,antiforensic",
"modification_date": "2023-10-04T10:44:07.307000Z",
"category": [
8
],
"rules": [
83
],
"attachments": [],
"featured_api": [
31,
413
],
"contributors": []
},
{
"id": 214,
"key": "trap-flag",
"unprotect_id": "U0131",
"name": "Trap Flag",
"description": "There is a Trap Flag in the Flags register. Bit number 8 of the EFLAGS register is the trap flag. When the Trap Flag is set, a SINGLE_STEP exception is generated.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2022-06-22T01:50:58.910000Z",
"tags": "trapflag",
"modification_date": "2023-10-04T10:43:27.051000Z",
"category": [
3
],
"rules": [
85
],
"attachments": [],
"featured_api": [
360,
593
],
"contributors": [
5
]
},
{
"id": 213,
"key": "ice-0xf1",
"unprotect_id": "U0130",
"name": "ICE 0xF1",
"description": "ICEBP is an undocumented instruction that serves as a single byte interrupt 1, generating a single step exception. It can be used to detect if the program is traced.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2022-06-22T01:46:01.067000Z",
"tags": "0xf1,icebp",
"modification_date": "2023-10-04T10:39:34.137000Z",
"category": [
3
],
"rules": [
70,
87
],
"attachments": [],
"featured_api": [
360
],
"contributors": [
5
]
},
{
"id": 212,
"key": "int-0x2d",
"unprotect_id": "U0129, B0001.006",
"name": "INT 0x2D",
"description": "When the instruction `INT2D` is executed, the exception `EXCEPTION_BREAKPOINT` is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while `INT2D` is executed.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.autosectools.com/anti-debugging-with-exceptions.pdf\nhttps://anti-debug.checkpoint.com/techniques/assembly.html#int2d",
"creation_date": "2022-06-22T01:41:35.414000Z",
"tags": "int2d",
"modification_date": "2023-10-04T10:43:47.504000Z",
"category": [
3
],
"rules": [
70
],
"attachments": [],
"featured_api": [
360,
593
],
"contributors": [
5
]
},
{
"id": 211,
"key": "bobsoft-mini-delphi-packer",
"unprotect_id": "U1428",
"name": "BobSoft Mini Delphi Packer",
"description": "The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application \"look legit\" during dynamic analysis. \r\n\r\nThe packer goes to great lengths to ensure that it is not running in an analysis environment. Normal user activity involves many application windows being rotated or changed over a period of time. The first variant of the packer uses `GetForegroundWindow` API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.mandiant.com/resources/increased-use-of-delphi-packer-to-evade-malware-classification",
"creation_date": "2022-06-21T23:48:10.193000Z",
"tags": "delphi,packer",
"modification_date": "2023-10-04T10:44:06.182000Z",
"category": [
12
],
"rules": [
117
],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
},
{
"id": 210,
"key": "cryptone",
"unprotect_id": "U1427",
"name": "CryptOne",
"description": "A packing software called CryptOne became popular among some major threat actors. It was first reported by Fox-IT that the group behind Wastedlocker has begun using it, as well as Netwalker, Gozi ISFB v3, ZLoader, Emotet, Dridex, and Smokeloader.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.deepinstinct.com/blog/a-deep-dive-into-packing-software-cryptone\nhttps://github.com/Tera0017/de-CryptOne",
"creation_date": "2022-06-21T23:43:38.665000Z",
"tags": "cryptone",
"modification_date": "2023-10-04T10:43:28.384000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
},
{
"id": 209,
"key": "cloudeyedarkeye",
"unprotect_id": "U1426",
"name": "CloudEye/DarkEye",
"description": "CloudEyE, an evolved version of DarkEyE, allows threat actors to use different types of malware of their choice and make it undetectable to anti-virus solutions. This program is being sold by legitimate Italian company which markets it as a tool for developers that want to protect their program from piracy and reverse engineering. The tutorials published and forum posts about CloudEyE prove that the objective of the program is to aid malicious activities.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.securitycode.eu/\nhttps://atlas-cybersecurity.com/cyber-threats/cloudeye-darkeye-evolved/",
"creation_date": "2022-06-21T23:39:37.553000Z",
"tags": "cloudeye,darkeye",
"modification_date": "2023-10-04T10:43:29.096000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
},
{
"id": 208,
"key": "nls-code-injection-through-registry",
"unprotect_id": "U1237",
"name": "NLS Code Injection Through Registry",
"description": "Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.\r\n\r\nThere are two ways to accomplish this technique:\r\n1. Calling the `SetThreadLocale` function and setting up an export function named `NlsDllCodePageTranslation`, where the main payload is located.\r\n2. Using the `SetConsoleCp` or `SetConsoleOutputCP` functions to modify the code page ID. If the process is not console-based, it is possible to allocate a console using the `AllocConsole` function.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry",
"creation_date": "2022-06-20T04:57:44.171000Z",
"tags": "Dll injection, registry modification, NLS code page ID, SetThreadLocale, NlsDllCodePageTranslation, SetConsoleCp, SetConsoleOutputCP, AllocConsole, malware, proof of concept, position-independent shellcode, remote process, stager, loading of DLL",
"modification_date": "2023-10-04T10:42:36.449000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
12,
313,
321,
322,
329
],
"contributors": [
5
]
},
{
"id": 207,
"key": "dtpacker",
"unprotect_id": "U1416",
"name": "DTPacker",
"description": "DTPacker is a .NET packer or downloader which although seeing considerable variety in the first stage, uses a second stage with a fixed password as part of the decoding. \r\n\r\nThe main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker uses both forms. It is unusual for a piece of malware to be both a packer and downloader. \r\n\r\nThis packer uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis. It is likely distributed on underground forums",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.proofpoint.com/au/blog/threat-insight/dtpacker-net-packer-curious-password-1",
"creation_date": "2022-06-20T03:02:59.757000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:15.166000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 206,
"key": "pespin",
"unprotect_id": "U1425",
"name": "PESpin",
"description": "PESpin is a Windows executable files protector, compressor coded in Win32ASM using MASM. Overall, this application will enable the compression of the entire executable - code, data, and resources, thus leaving the file protected against patching or disassembling.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://downloads.fyxm.net/PESpin-95477.html",
"creation_date": "2022-06-20T02:58:01.613000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:16.896000Z",
"category": [
12
],
"rules": [
116
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 205,
"key": "theark",
"unprotect_id": "U1424",
"name": "theArk",
"description": "Packer tool developed in C/C++. Full implementation of the linker, dynamic decompression and spraying in memory to complete file mapping.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/aaaddress1/theArk",
"creation_date": "2022-06-20T02:56:05.346000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:09.559000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 204,
"key": "net-reactor",
"unprotect_id": "U1423",
"name": ".Net Reactor",
"description": ".NET Reactor is used to prevent reverse engineering by adding different protection layers to .NET assemblies. Beside standard obfuscation techniques it includes special features like NecroBit, Virtualization, x86 Code Generation or Anti Tampering.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.eziriz.com/dotnet_reactor.htm",
"creation_date": "2022-06-20T02:50:46.208000Z",
"tags": "",
"modification_date": "2024-01-10T00:08:43.726000Z",
"category": [
12
],
"rules": [
140,
144
],
"attachments": [],
"featured_api": [],
"contributors": [
32
]
},
{
"id": 203,
"key": "net-anti-decompiler",
"unprotect_id": "U1422",
"name": ".Net Anti-Decompiler",
"description": ".Net Anti-Decompiler is a protective tool for .Net assemblies. It provides an extra layer of security and compliance to .Net application from reverse engineering.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.techipick.com/dotnet-anti-decompiler",
"creation_date": "2022-06-20T02:48:35.078000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:13.718000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 202,
"key": "obsidium",
"unprotect_id": "U1421",
"name": "Obsidium",
"description": "Obsidium is a software protection and licensing system that is designed to protect 32-bit and 64-bit Windows software applications and games from reverse engineering, unauthorized modifications (\"cracking\") and redistribution (\"software piracy\") while providing a licensing system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.obsidium.de/home",
"creation_date": "2022-06-20T02:47:00.242000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:15.699000Z",
"category": [
12
],
"rules": [
115
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 201,
"key": "axprotector",
"unprotect_id": "U1420",
"name": "AxProtector",
"description": "AxProtector encrypts the complete software you aim to protect, and shields it with a security shell, AxEngine. Best-of-breed anti-debugging and anti-disassembly methods are then injected into your software.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.wibu.com/us/products/protection-suite/axprotector.html",
"creation_date": "2022-06-20T02:45:08.365000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:11.075000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 200,
"key": "pelock",
"unprotect_id": "U1419",
"name": "PELock",
"description": "PELock is a software security solution designed for the protection of any 32 bit Windows applications against cracking, tampering and reverse engineering analysis.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.pelock.com/products/pelock",
"creation_date": "2022-06-20T02:41:58.804000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:11.843000Z",
"category": [
12
],
"rules": [
114
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 199,
"key": "hxor-packer",
"unprotect_id": "U1418",
"name": "hXOR Packer",
"description": "hXOR Packer is a PE (Portable Executable) packer with Huffman Compression and Xor encryption.\r\n\r\nThe unpacker will decompress and decrypt the packed PE and execute it directly from memory without needing any hard disk space to execute.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/fscene8/hXOR-Packer",
"creation_date": "2022-06-20T02:39:51.042000Z",
"tags": "hxor, packer",
"modification_date": "2024-01-04T23:13:58.854000Z",
"category": [
12
],
"rules": [
138
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
31
]
},
{
"id": 198,
"key": "confuserex",
"unprotect_id": "U1417",
"name": "ConfuserEx",
"description": "ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. It's primarily designed to make reverse engineering difficult for applications written in .NET languages like C# and VB.NET. ConfuserEx does this by using a variety of techniques like symbol renaming, control flow obfuscation, and encryption of strings and resources.\r\n\r\n- Supports .NET Framework 2.0/3.0/3.5/4.0/4.5/4.6/4.7/4.8\r\n\r\n- Symbol renaming (Support WPF/BAML)\r\n\r\n- Protection against debuggers/profilers\r\n\r\n- Protection against memory dumping\r\n\r\n- Protection against tampering (method encryption)\r\n\r\n- Control flow obfuscation\r\n\r\n- Constant/resources encryption\r\n\r\n- Reference hiding proxies\r\n\r\n- Disable decompilers\r\n\r\n- Embedding dependency\r\n\r\n- Compressing output",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/mkaring/ConfuserEx\r\nhttps://cod3nym.github.io/Detecting-Stealthy-ConfuserEx-with-Yara",
"creation_date": "2022-06-20T02:37:37.730000Z",
"tags": "",
"modification_date": "2024-01-09T04:04:09.009000Z",
"category": [
12
],
"rules": [
101,
137,
142
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
32
]
},
{
"id": 197,
"key": "nspack",
"unprotect_id": "U1416",
"name": "NsPack",
"description": "NsPack is a packer for 32bits and 64bits exe, dll, ocx, scr Windows program.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.sans.org/white-papers/33428/",
"creation_date": "2022-06-19T07:46:10.909000Z",
"tags": "NsPack",
"modification_date": "2023-10-04T10:43:09.033000Z",
"category": [
12
],
"rules": [
96,
113
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 196,
"key": "asprotect",
"unprotect_id": "U1415",
"name": "AsProtect",
"description": "ASProtect is a multifunctional EXE packing tool designed for software developers to protect 32-bit applications with in-built application copy protection system.\r\n\r\nIt includes software compression, provides protection methods and tools for software from unauthorized copying, analysis, disassemblers and debuggers.\r\n\r\nASProtect 32 also provides enhanced work with registration keys and the ability to create a single application that can change its functionality or expiration, depending on the entered particular key.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.aspack.com/asprotect32.html",
"creation_date": "2022-06-19T07:43:13.379000Z",
"tags": "asprotect",
"modification_date": "2023-10-04T10:42:55.472000Z",
"category": [
12
],
"rules": [
112
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 195,
"key": "pecompact",
"unprotect_id": "U1414",
"name": "PECompact",
"description": "PECompact is a Windows executable compressor. It has a plugin system that offers virtually customization.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://bitsum.com/portfolio/pecompact/",
"creation_date": "2022-06-19T07:39:51.104000Z",
"tags": "pecompact",
"modification_date": "2023-10-04T10:42:55.129000Z",
"category": [
12
],
"rules": [
97
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 194,
"key": "crinkler",
"unprotect_id": "U1413",
"name": "Crinkler",
"description": "Crinkler is a compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/runestubbe/Crinkler",
"creation_date": "2022-06-19T07:36:46.756000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:05.747000Z",
"category": [
12
],
"rules": [
111
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 193,
"key": "petite",
"unprotect_id": "U1412",
"name": "PEtite",
"description": "Petite is a free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor. The compressed executables decompress themselves at run time and can be used just like the original non-compressed versions. \r\n\r\nPetite also adds virus detection to the compressed executables; they will check themselves for infection every time they are executed.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.un4seen.com/petite/",
"creation_date": "2022-06-19T07:12:43.337000Z",
"tags": "petite",
"modification_date": "2023-10-04T10:42:56.579000Z",
"category": [
12
],
"rules": [
99,
110
],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
