HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 351,
"next": "https://unprotect.it/api/techniques/?format=api&page=6",
"previous": "https://unprotect.it/api/techniques/?format=api&page=4",
"results": [
{
"id": 168,
"key": "detecting-online-sandbox",
"unprotect_id": "U1338",
"name": "Detecting Online Sandbox",
"description": "Online sandbox has become very popular for malware analysis. Several malware authors employ such techniques to avoid detection and analysis. Some of these techniques will be summarized here.\r\n\r\n* Any.Run uses a fake root certificate to spy on sandbox traffic. The first information about the system can be obtained by querying the information of the root certificate. In addition, the QEMU Agent is modified and used to monitor the applications running in the virtual machine allowing the sandbox to do API hooking and monitor the analyzed process. If a process name such as \"srvpost.exe\" is running and the \"winanr.dll\", \"winsanr.dll\" libraries are loaded, it is possible to detect the Any.Run agent.\r\n\r\n* Any.Run offers many packages to their users. And in addition to the features they are offering in these packages, they also determine the maximum number of minutes for active analysis. For example, you can analyze a file for 5 minutes by default with the Searcher package, that you pay 90 dollars to acquire, and you can make this time a maximum of 10 minutes by adding time in interactive mode. The sechost.dll in the agent contains and transmits the timing metrics of ANY.RUN. When we suspend this thread, Any.Run stops its counter and the analysis continues until it drops to timeout.",
"resources": "https://malwation.com/offensive-approach-to-online-sandboxes-1-any-run/\nhttps://gist.github.com/kaganisildak/4ff8adcaba2521a28a7029d61c265d16\nhttps://app.any.run/tasks/5bff31df-4688-41b1-a73a-d15d30e7ac54/\nhttps://app.any.run/",
"creation_date": "2021-03-10T14:32:11Z",
"tags": "",
"modification_date": "2023-10-04T10:44:43.778000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
2,
18,
22,
23,
24,
25,
26,
27,
28,
29,
30,
317,
320,
364,
381,
412,
419,
425
],
"contributors": []
},
{
"id": 167,
"key": "file-melt",
"unprotect_id": "U1007",
"name": "File Melt",
"description": "File melting is a technique that malware uses to delete itself after it has been installed on a system. This is often done in order to avoid detection by antivirus programs or other security measures. The process of file melting involves overwriting the file with random data, making it impossible to recover the original file or to detect the presence of the malware. \r\n\r\nThis technique is often used in combination with other tactics, such as hiding the infected file in a remote location or using encryption to make it difficult to access.",
"resources": "",
"creation_date": "2021-02-20T19:02:54Z",
"tags": "File melting,\r\nFile deletion,\r\nOverwriting,\r\nRandom data,\r\nRecovery,\r\nEncryption,\r\nHiding,\r\nRemove trace,",
"modification_date": "2022-12-13T22:56:23.230000Z",
"category": [
14
],
"rules": [
51,
91
],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
8,
11,
12,
23,
25,
132,
341,
363,
364,
381,
419,
425,
450
],
"contributors": []
},
{
"id": 166,
"key": "execution-guardrails-environmental-keying",
"unprotect_id": "T1480.001",
"name": "Execution Guardrails: Environmental Keying",
"description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.\r\n\r\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\r\n\r\nSimilar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\r\n\r\nLike other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
"resources": "https://attack.mitre.org/techniques/T1480/001/",
"creation_date": "2020-11-15T09:35:38Z",
"tags": "Defense Evasion.\r\ncryptography,\r\nconstrain execution,\r\nderiving encryption/decryption keys,\r\nencrypted payloads,\r\nAPT41,\r\nData Protection API",
"modification_date": "2023-10-04T10:44:56.962000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 165,
"key": "indicator-removal-timestomp",
"unprotect_id": "U0303, T1070.006",
"name": "Indicator Removal: Timestomp",
"description": "Timestomping is a technique used by adversaries to modify the timestamps of a file, such as the modify, access, create, and change times. This technique is often used to hide the fact that a file has been modified or created by the adversary, making it more difficult for forensic investigators or file analysis tools to detect the changes. \r\n\r\nBy modifying the timestamps of a file, the adversary can make it appear as if the file has been present on the system for a longer period of time, or that it was last accessed or modified at a different time than it actually was. This can help the adversary avoid detection and continue operating on a compromised system without being detected.",
"resources": "https://attack.mitre.org/techniques/T1070/006/",
"creation_date": "2020-11-13T20:27:25Z",
"tags": "Timestomping,\r\nTimestamp manipulation,\r\nChange times,\r\nForensic investigators,\r\nFile analysis tools,\r\nAPT28,\r\nAPT29,\r\nAPT32,\r\nAPT38,",
"modification_date": "2023-10-04T10:44:15.174000Z",
"category": [
8,
10
],
"rules": [
90
],
"attachments": [],
"featured_api": [
23,
341,
376,
388,
425,
442
],
"contributors": []
},
{
"id": 164,
"key": "debug-registers-hardware-breakpoints",
"unprotect_id": "U0127, B0001.005",
"name": "Debug Registers, Hardware Breakpoints",
"description": "Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.",
"resources": "https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getcurrentthread\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registers-window",
"creation_date": "2020-11-13T14:16:40Z",
"tags": "DR0",
"modification_date": "2023-10-04T10:42:28.818000Z",
"category": [
3
],
"rules": [
10
],
"attachments": [],
"featured_api": [
341,
381,
399
],
"contributors": []
},
{
"id": 163,
"key": "anti-yara-rules",
"unprotect_id": "U1001",
"name": "Anti Yara Rules",
"description": "Yara rules are used by malware researchers to identify and classify malware based on specific characteristics and behaviors. These rules are powerful because they allow researchers to quickly and accurately detect malware, even if it has been modified to avoid detection. However, attackers can also modify their malware to avoid detection by Yara rules. \r\n\r\nThis is often seen with ransomware, where attackers will update the content of their ransom notes in an attempt to evade detection. By constantly modifying their malware, attackers can make it more difficult for researchers to track and detect their malware.",
"resources": "https://github.com/Yara-Rules/rules",
"creation_date": "2020-11-10T08:08:48Z",
"tags": "Yara rules,\r\ntracking,\r\ndetection evasion,\r\nransomware notes,\r\nmalware classification,\r\nmalware characteristics,\r\nmalware behaviors,",
"modification_date": "2023-10-04T10:42:42.729000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 162,
"key": "breaking-badder",
"unprotect_id": "U1201",
"name": "Breaking BaDDEr",
"description": "Dynamic Data Exchange (DDE) is a protocol that allows applications to share data with each other. The Dynamic Data Exchange Management Library (DDEML) is a set of functions that facilitate data sharing using the DDE protocol. DDE and DDEML are commonly used in Microsoft Office to enable data to be shared between applications. In October 2017, a vulnerability was discovered in Microsoft Office that could be exploited using DDE to execute arbitrary code. Since then, DDE has been disabled by default in Microsoft Office and is no longer considered a critical component. \r\n\r\nThis injection method is limited to the explorer.exe process, which is the process that handles graphical user interface (GUI) elements in the Windows operating system.",
"resources": "https://modexp.wordpress.com/2019/08/09/windows-process-injection-breaking-badder/",
"creation_date": "2020-10-26T07:41:58Z",
"tags": "Data sharing protocol,\r\nData sharing library,\r\nDDE protocol,\r\nCode execution,",
"modification_date": "2023-10-04T10:42:33.135000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
357,
363,
381,
423,
569
],
"contributors": []
},
{
"id": 161,
"key": "dns-api-injection",
"unprotect_id": "U1202",
"name": "DNS API Injection",
"description": "DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code into the DNS API, the malware can manipulate DNS requests and responses, potentially redirecting traffic to malicious domains or hiding its own DNS requests from being logged or detected.\r\n\r\nTo carry out DNS API injection, the malware must first locate the address of the dnsapi.dll library in the host system's memory and find the address of the exported `DnsApiHeapReset` function. By parsing the code of this function, the malware can discover the addresses of various callback functions that are used to process DNS requests and responses. The malware can then use the `WriteProcessMemory` function to modify these callbacks, allowing it to intercept and manipulate DNS requests made by the host system.\r\n\r\nSysmon v10, a system monitoring tool, includes a feature that logs DNS queries and maps them to the process name making the request. This can help detect DNS API injection by showing any suspicious or unexpected DNS requests being made by processes on the host system.",
"resources": "https://modexp.wordpress.com/2019/08/08/windows-process-injection-dnsapi/\nhttp://www.hexacorn.com/blog/2019/06/12/code-execution-via-surgical-callback-overwrites-e-g-dns-memory-functions/",
"creation_date": "2020-10-26T07:38:31Z",
"tags": "Overwriting DNS memory functions,\r\nLogging DNS queries,\r\nIntercepting DNS requests,\r\nHiding DNS requests,\r\ndnsapi.dll,\r\nDnsApiHeapReset,",
"modification_date": "2023-10-04T10:44:49.979000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
2,
3,
4,
6,
23,
24,
94,
239,
290,
301,
357,
358,
363,
413,
423,
469,
480,
569
],
"contributors": []
},
{
"id": 160,
"key": "clipbrdwndclass",
"unprotect_id": "U1203",
"name": "CLIPBRDWNDCLASS",
"description": "CLIPBRDWNDCLASS is a window class that is registered by the Object Linking & Embedding (OLE) library (ole32.dll) to handle clipboard data. When a window of this class is created, it is assigned a number of window properties that store the addresses of various interfaces that are used to process clipboard data. These interfaces include the `ClipboardDataObjectInterface`, `ClipboardRootDataObjectInterface`, and `ClipboardDataObjectInterfaceMTA`.\r\n\r\nOne of these interfaces, the `ClipboardDataObjectInterface`, can be leveraged for code injection. If this interface is set to the address of an IUnknown interface and the clipboard window procedure receives a WM_DESTROYCLIPBOARD message, it will invoke the Release method of the IUnknown interface. This can potentially allow malware to inject code into the host system by manipulating the clipboard data and causing the Release method to be called.\r\n\r\nIt is important to note that the CLIPBRDWNDCLASS window class and the interfaces it uses are private to the OLE library, and are not intended for use by external programs.",
"resources": "https://modexp.wordpress.com/2019/05/24/4066/",
"creation_date": "2020-10-13T17:24:15Z",
"tags": "Object Linking & Embedding (OLE) library,\r\nPrivate clipboard\r\nCLIPBRDWNDCLASS window class,\r\nOLE library,\r\nClipboard data,\r\nClipboardDataObjectInterface,\r\nClipboardRootDataObjectInterface,\r\nClipboardDataObjectInterfaceMTA,",
"modification_date": "2023-10-04T10:43:33.129000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 158,
"key": "wordwarping",
"unprotect_id": "U1204",
"name": "WordWarping",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping.\r\n\r\nThe `EditWordBreakProc` callback function is called anytime the control needs to perform an operation related to word wrapping. This function can be modified for any window by sending the EM_SETWORDBREAKPROC message to the window. If the window is an edit control or a descendant of an edit control, modifying the `EditWordBreakProc` callback function can cause unexpected behavior.\r\n\r\nOne way to trigger the execution of the `EditWordBreakProc` callback function is to simulate keyboard input using the `SendInput` or `PostMessage` APIs. These APIs allow a program to send input events, such as keystrokes or mouse movements, to a window or application as if they were being generated by a user. If the input events are directed at an edit control or a descendant of an edit control, they may cause the `EditWordBreakProc` callback function to be called.",
"resources": "",
"creation_date": "2020-10-13T17:21:36Z",
"tags": "Rich Edit controls,\r\nWindows controls,\r\nMultiline mode,\r\nEditWordBreakProc callback function,\r\nWord wrapping,\r\nEM_SETWORDBREAKPROC message,",
"modification_date": "2023-10-04T10:39:35.737000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
134,
239,
290,
363
],
"contributors": []
},
{
"id": 157,
"key": "editwordbreakproc",
"unprotect_id": "U1229",
"name": "EditWordBreakProc",
"description": "Edit controls, including Rich Edit controls, are a common type of Windows control found in many applications. They can be embedded directly in the application or as subclassed windows. \r\n\r\nWhen these controls display text in multiline mode, they use a callback function called `EditWordBreakProc`. This function is called every time the control needs to do something related to word wrapping. \r\n\r\nAdditionally, when a Rich Edit control receives the `EM_STREAMIN` message, it uses the information provided in an `EDITSTREAM` structure to transfer data into or out of the control. The `pfnCallback` field of this structure can be used to point to a payload in memory, allowing for the injection of malicious code.",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-13T17:19:34Z",
"tags": "Edit controls, Rich Edit controls, Windows control, multiline mode, EditWordBreakProc callback function, word wrapping, EM_STREAMIN message, EDITSTREAM structure, pfnCallback field,",
"modification_date": "2023-10-04T10:44:38.818000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 156,
"key": "oleum",
"unprotect_id": "U1206",
"name": "OLEUM",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping.\r\n\r\nThe EditWordBreakProc callback function is called anytime the control needs to perform an operation related to word wrapping. In some cases, it may be possible to manipulate this callback function to achieve a desired effect, such as injecting code into the host system.\r\n\r\nOne method that has been used to manipulate the EditWordBreakProc callback function is to send the EM_GETOLECALLBACK message to the edit control window using the SendMessage function. This message is not well documented and can cause the rich edit window to crash if the LPARAM parameter does not point to locally accessible memory. Additionally, the EM_GETOLECALLBACK message does not return a pointer to the IRichEditOleCallback interface as expected, but rather to the IRichEditOle interface. As a result, the EM_SETOLECALLBACK message cannot be used to modify the callback function.\r\n\r\nInstead, it may be possible to modify the IRichEditOle.lpVtbl heap memory, which holds a table of methods that can be called on the IRichEditOle interface. By overwriting the address of one of these methods with the address of the payload, it may be possible to execute the payload when the method is called. In this case, the payload is the GetClipboardData function. It is important to note that manipulating the EditWordBreakProc callback function and modifying heap memory in this way is likely to be detected by security systems and may result in the host system being compromised.",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-13T17:17:35Z",
"tags": "Rich Edit controls,\r\nEditWordBreakProc callback,\r\nWord wrapping,\r\nEM_GETOLECALLBACK message,\r\nSendMessage function,\r\nLPARAM parameter,\r\nLocally accessible memory,\r\nIRichEditOleCallback interface,",
"modification_date": "2023-10-04T10:44:00.867000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
229,
239,
290,
357,
363
],
"contributors": []
},
{
"id": 155,
"key": "listplanting",
"unprotect_id": "U1207",
"name": "Listplanting",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window.\r\n\r\nEdit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping. This callback function is called anytime the control needs to perform an operation related to word wrapping.\r\n\r\nIn addition to the EditWordBreakProc callback function, the ListView control, which is a common GUI element used to display lists of items, can also be customized using certain messages. The LVM_SORTGROUPS message allows the user to specify a callback function that is used to sort the groups in a ListView control. The LVM_INSERTGROUPSORTED message inserts a new group into a ListView control, using the callback function specified in the LVM_SORTGROUPS message to determine the proper position for the new group. The LVM_SORTITEMS message allows the user to specify a callback function that is used to sort the items in a ListView control.\r\n\r\nUsing these messages and callback functions, it is possible to customize the sorting of items and groups in a ListView control to meet the specific needs of an application.",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-06T05:48:52Z",
"tags": "Rich Edit controls,\r\nWindows controls,\r\nMultiline mode,\r\nEditWordBreakProc callback,\r\nWord wrapping,\r\nListView control,\r\nGUI element,\r\nDisplay lists of items,\r\nLVM_SORTGROUPS message,\r\nCallback function,",
"modification_date": "2023-10-04T10:42:33.290000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 154,
"key": "treepoline",
"unprotect_id": "U1208",
"name": "Treepoline",
"description": "Tree-view controls are a type of user interface element that is used to display hierarchical data in a graphical user interface (GUI). They are commonly used in Windows applications and allow users to navigate and explore complex data structures.\r\n\r\nTo display its content, a tree-view control must sort the items it shows. The sorting routine for a tree-view control can be controlled and modified using a TVSORTCB structure, which includes a field called lpfnCompare that points to a callback function. This callback function is called anytime a comparison between tree elements is required.\r\n\r\nBy sending a TVM_SORTCHILDRENCB message to a tree-view control, it is possible to specify the callback function that should be used to sort the tree-view's elements. When the tree-view control executes the specified callback function, it is possible to execute arbitrary code or perform other actions. This technique can be used to compromise the host system or cause harm in other ways. It is important to note that manipulating the callback function in this way is likely to be detected by security systems and may result in the host system being compromised.",
"resources": "http://www.hexacorn.com/blog/2019/04/24/treepoline-new-code-injection-technique/\nhttps://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-06T05:46:01Z",
"tags": "Tree-view controls,\r\nUser interface element,\r\nHierarchical data,\r\nGraphical user interface (GUI),\r\nWindows applications,\r\nData structures,\r\nItem sorting,\r\nTVSORTCB structure,\r\nlpfnCompare field,",
"modification_date": "2023-10-04T10:44:01.256000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 153,
"key": "consolewindowclass",
"unprotect_id": "U1209",
"name": "ConsoleWindowClass",
"description": "One method that has been used to achieve process injection is by manipulating the User Data of a window object.\r\n\r\nThe User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the `SetWindowLongPtr` API and the GWLP_USERDATA parameter. In the case of the Console Window Host (conhost) process, the User Data of a window is used to store the address of a data structure that contains information about the window's position, dimensions, and object handle, as well as a class object with methods to control the behavior of the console window.\r\n\r\nBy manipulating the User Data of a window object, it may be possible to execute arbitrary code in the context of the process associated with that window.",
"resources": "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
"creation_date": "2020-10-05T12:31:17Z",
"tags": "Arbitrary code execution,\r\nContext of another process,\r\nSetWindowLongPtr API,\r\nGWLP_USERDATA parameter,\r\nUser Data of a window,",
"modification_date": "2023-10-04T10:42:33.648000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
357,
363
],
"contributors": []
},
{
"id": 152,
"key": "bypass-user-account-control",
"unprotect_id": "T1548.002",
"name": "Bypass User Account Control",
"description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\r\n\r\nThe impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.",
"resources": "https://attack.mitre.org/techniques/T1548/002/",
"creation_date": "2020-10-05T06:30:46Z",
"tags": "Defense Evasion,\r\nbypass UAC controls,\r\nMITRE,\r\nprivilege elevation,",
"modification_date": "2023-10-04T10:44:59.068000Z",
"category": [
10
],
"rules": [
24,
38
],
"attachments": [],
"featured_api": [
25
],
"contributors": []
},
{
"id": 151,
"key": "getforegroundwindow",
"unprotect_id": "U1301",
"name": "GetForegroundWindow",
"description": "This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.\r\n\r\nIt accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by another call to GetForegroundWindow. If the foreground window has not changed, the malware assumes it is in a sandbox or analysis virtual machine and will continue this loop until the foreground window changes. If there is no change, the program will loop indefinitely or may make a call to ExitProcess.",
"resources": "https://archive.f-secure.com/weblog/archives/00002810.html",
"creation_date": "2020-10-01T11:39:03Z",
"tags": "GetForegroundWindow",
"modification_date": "2023-10-04T10:42:43.425000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
25,
133,
236,
290
],
"contributors": []
},
{
"id": 150,
"key": "thermal-zone-temperature",
"unprotect_id": "U1302",
"name": "Thermal Zone Temperature",
"description": "The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: \"25.05 C: 77.09 F: 298.2K\". But for a fully virtualized environment, the return is \"MSAcpi_ThermalZoneTemperature not supported\" because this feature is not supported on virtualized processors.\r\n\r\nInterestingly, this method is not valid. Not all Windows machines will support this method due to incompatibility with thermal zone sensors. It is a BIOS function. Sometimes the BIOS manufacturer provides dlls that can be referenced to call the required function and return the details.\r\n\r\nMany malware authors use it to detect virtual machines, but it frequently fails due to lack of vendor support.",
"resources": "https://medium.com/@DebugActiveProcess/anti-vm-techniques-with-msacpi-thermalzonetemperature-32cfeecda802\nhttps://social.msdn.microsoft.com/Forums/en-US/19520825-b1fc-4778-8704-c492124bc029/getting-cpu-temp?forum=vblanguage",
"creation_date": "2020-09-26T10:02:04Z",
"tags": "thermal, temperature",
"modification_date": "2023-10-04T10:43:53.612000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 149,
"key": "checking-malware-name",
"unprotect_id": "U1303,U0401",
"name": "Checking Malware Name",
"description": "Malware can use various techniques to evade detection by security analysts and researchers. One such technique is to check the name of the malware sample before fully executing on the infected machine. If the sample has been renamed to a blacklisted name, such as \"malware.exe\" or \"sample.exe\", or even with the file hash, the malware can detect this and change its behavior or terminate its process to avoid being detected and analyzed. This technique allows the malware to remain undetected and continue its malicious activities on the infected machine.",
"resources": "",
"creation_date": "2020-09-22T06:49:06Z",
"tags": "malware,\r\nsample,\r\nblacklisted names,\r\nprocess,\r\nfile hash,",
"modification_date": "2023-10-04T10:40:12.913000Z",
"category": [
1,
6
],
"rules": [
129
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 148,
"key": "rdtscp",
"unprotect_id": "U1304",
"name": "RDTSCP",
"description": "Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen). \r\n\r\nThis instruction can be used to calculate the delta of the timestamp counter in the same way as RDTSC and thus detect whether the program is being debugged, emulated or executed in a virtual environment.",
"resources": "https://www.hexacorn.com/blog/2014/06/15/rdtscp-a-recooked-antire-trick/",
"creation_date": "2020-09-14T07:32:36Z",
"tags": "RDTSCP",
"modification_date": "2023-10-04T10:42:43.229000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
364
],
"contributors": []
},
{
"id": 147,
"key": "api-hammering",
"unprotect_id": "U1305, B0003.012",
"name": "API Hammering",
"description": "API hammering is a technique used to delay sandbox analysis and thus avoid malware capability analysis reporting. This technique consists of calling a large amount of benign APIs like \"printf\" in a loop.",
"resources": "https://www.joesecurity.org/blog/3660886847485093803",
"creation_date": "2020-09-10T14:39:31Z",
"tags": "hammering",
"modification_date": "2023-10-04T10:42:01.978000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 146,
"key": "process-reimaging",
"unprotect_id": "U1210",
"name": "Process Reimaging",
"description": "Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.\r\n\r\nThe Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of endpoint security solutions, such as Microsoft Defender Realtime Protection, to accurately detect the correct binaries loaded in malicious processes. This inconsistency can be exploited using the Process Reimaging technique, which does not require code injection.",
"resources": "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass.html",
"creation_date": "2020-05-08T09:26:00Z",
"tags": "Process Reimaging,\r\nDetection evasion,\r\nEndpoint security solutions,\r\nProcess Hollowing,\r\nProcess Doppelganging,\r\nMitre Attack Defense Evasion Category,\r\nCode injection,",
"modification_date": "2023-10-04T10:43:54.431000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 145,
"key": "malvertising",
"unprotect_id": "U1002",
"name": "Malvertising",
"description": "Malvertising is a type of cyber attack that involves using online advertising as a means to spread malware. This is attractive to attackers because it allows them to easily reach a large number of users without having to directly compromise the websites hosting the ads. The ads themselves can be inserted into reputable and high-profile websites, which can help attackers bypass network security measures and reach users who may not be as vigilant about protecting themselves online. \r\n\r\nBy using malvertising, attackers can exploit the trust that users have in the websites they visit and the ads they see, making it an effective and stealthy way to spread malware.",
"resources": "https://www.imperva.com/learn/application-security/malvertising/",
"creation_date": "2019-04-23T12:35:33Z",
"tags": "malvertising,\r\nonline advertising,\r\nhigh-profile websites,\r\ntrust in websites,",
"modification_date": "2023-10-04T10:43:44.639000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 144,
"key": "c2-via-social-networks",
"unprotect_id": "U0901",
"name": "C2 via Social Networks",
"description": "Malware often relies on a communication channel with its operator in order to receive instructions and updates. This channel is known as a command and control (C&C or C2) channel. C&C channels can take various forms, such as internet relay chat (IRC), peer-to-peer protocols, and even social media. The use of C&C channels allows the operator to remotely control the malware and direct its actions.",
"resources": "https://zeltser.com/bots-command-and-control-via-social-media/",
"creation_date": "2019-04-23T12:32:22Z",
"tags": "Command and control (C&C),\r\nCommunication channel,\r\nOperator,\r\nInternet relay chat (IRC),\r\nPeer-to-peer protocols,\r\nSocial media,",
"modification_date": "2023-10-04T10:42:48.003000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 143,
"key": "peer-to-peer-c2",
"unprotect_id": "U0902",
"name": "Peer to peer C2",
"description": "Peer-to-peer (P2P) botnets are a type of botnet that uses a decentralized network structure, without a central command and control (C&C) server. Each infected machine in a P2P botnet maintains a list of other trusted computers (including other infected machines), as well as information drop locations and locations where the malware can be updated. Some P2P botnets also use encryption to conceal their communications.\r\n\r\nThe decentralized nature of P2P botnets makes it harder for security researchers to track and disrupt their activities. Without a central C&C server, it is more difficult for investigators to take down the entire network by targeting a single infected machine. Additionally, the use of encryption can hinder analysis of the botnet's communications. However, this decentralized structure also makes it more difficult for the operator to control the botnet and issue commands to the infected machines.",
"resources": "https://www.malwaretech.com/2013/12/peer-to-peer-botnets-for-beginners.html",
"creation_date": "2019-04-23T12:31:10Z",
"tags": "Peer-to-peer (P2P) botnets,\r\nDecentralized network,\r\nCommand and control (C&C),\r\nCentralized structure,\r\nBotnet operator,",
"modification_date": "2023-10-04T10:43:29.377000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 142,
"key": "tor-network-c2",
"unprotect_id": "U0903",
"name": "Tor Network C2",
"description": "Tor is a free and open-source network that enables anonymous communication. It uses a network of volunteer-operated servers, known as \"relays,\" to route internet traffic in a way that conceals the user's location and usage from surveillance and traffic analysis. By routing traffic through multiple relays, Tor makes it difficult to trace internet activity back to the user.\r\n\r\nMalware can use the Tor network to communicate with a command and control (C&C) server in a way that is harder to detect. Ransomware often uses Tor to host the payment page and even data leak pages. By using the anonymity provided by Tor, the attackers can make it more difficult for authorities to track them down and shut down their operations.",
"resources": "",
"creation_date": "2019-04-23T12:25:04Z",
"tags": "Tor,\r\nAnonymous communication,\r\nInternet traffic,\r\nVolunteer overlay network,\r\nCommand and control (C&C),",
"modification_date": "2023-10-04T10:39:37.409000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 141,
"key": "dns-hijacking",
"unprotect_id": "U0904, E1643.m01",
"name": "DNS Hijacking",
"description": "DNS hijacking or DNS redirection is a technique used to subvert the normal domain name resolution process. It involves redirecting DNS queries to a rogue DNS server controlled by an attacker, or modifying the behavior of a trusted DNS server so that it does not comply with internet standards. This can be done for various purposes, such as phishing attacks, censorship, or for the self-serving purposes of internet service providers (ISPs) and DNS service providers.\r\n\r\nDNS hijacking can be carried out by malware that modifies a computer's TCP/IP configuration to point to a rogue DNS server. This allows the attacker to redirect the user's internet traffic to malicious websites or to block access to certain websites. It can also be used by ISPs and DNS service providers to redirect users to their own web servers for advertising or other purposes.",
"resources": "https://en.wikipedia.org/wiki/DNS_hijacking",
"creation_date": "2019-04-23T12:20:47Z",
"tags": "DNS hijacking,\r\nDNS redirection,\r\nDomain name system (DNS),\r\nRogue DNS server,\r\nTrusted DNS server,",
"modification_date": "2023-10-04T10:44:26.656000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 140,
"key": "dns-tunneling",
"unprotect_id": "U0905, T1048.003",
"name": "DNS Tunneling",
"description": "DNS tunneling is a technique that uses the Domain Name System (DNS) protocol to transfer data in an encrypted and covert manner. It involves encoding the data of other programs or protocols in DNS queries and responses, and using DNS servers as a means of communication.\r\n\r\nTo carry out DNS tunneling, the attacker typically needs access to a compromised system with external network connectivity and an internal DNS server with network access. The attacker also needs to control a domain and a server that can act as an authoritative DNS server in order to execute the server-side tunneling and data payload programs.\r\n\r\nDNS tunneling can be used for various purposes, such as to control remote servers and applications, transfer data, or bypass firewall restrictions. It can be difficult to detect, as the DNS protocol is commonly used for legitimate purposes and is typically not heavily scrutinized by security systems.",
"resources": "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/\nhttps://attack.mitre.org/techniques/T1048/003/",
"creation_date": "2019-04-23T12:18:13Z",
"tags": "DNS tunneling,\r\nDomain Name System (DNS),\r\nData transfer,\r\nEncrypted,\r\nCovert,\r\nExternal network connectivity,\r\nAuthoritative DNS server,\r\nServer-side tunneling,",
"modification_date": "2023-10-04T10:45:00.526000Z",
"category": [
9,
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 138,
"key": "domain-generation-algorithm",
"unprotect_id": "U0906, B0031",
"name": "Domain Generation Algorithm",
"description": "Domain generation algorithms (DGAs) are algorithms used by malware to generate a large number of domain names that can be used as communication channels with their command and control servers. These domain names are generated periodically, typically using a pseudorandom number generator.\r\n\r\nThe use of DGAs makes it difficult for law enforcement and other security actors to shut down botnets, as infected computers will attempt to contact some of these domain names every day to receive updates or commands. The use of public-key cryptography in the malware code also makes it difficult to mimic commands from the malware controllers.\r\n\r\nDGAs are commonly used by malware families such as Zeus, Andromeda, and Necurs to establish communication channels that are hard to detect and disrupt. This allows the malware to receive instructions from the attackers and carry out various malicious activities, such as stealing sensitive information, spreading to other devices, or launching attacks on other systems.",
"resources": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf",
"creation_date": "2019-04-23T12:02:11Z",
"tags": "Domain generation algorithms (DGAs),\r\nDomain names,\r\nCommand and control servers,\r\nRendez-vous points,\r\nBotnets,\r\nZeus,\r\nAndromeda,\r\nNecurs,\r\nCommunication channels,",
"modification_date": "2023-10-04T10:44:26.439000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 137,
"key": "fast-flux",
"unprotect_id": "U0907",
"name": "Fast Flux",
"description": "Fast flux is a technique used by botnets to conceal the location of their phishing and malware delivery sites by using a constantly changing network of compromised hosts as proxies. This makes it difficult for law enforcement and other security actors to track down and shut down the sites, as the IP addresses of the sites are constantly changing.\r\n\r\nFast flux is often used in combination with other techniques, such as peer-to-peer networking, distributed command and control, web-based load balancing, and proxy redirection, to make the botnet more resilient to detection and countermeasures. By using these techniques together, the botnet can maintain a high level of operational security and evade detection by security systems.",
"resources": "https://unit42.paloaltonetworks.com/fast-flux-101/",
"creation_date": "2019-04-23T11:54:27Z",
"tags": "Fast flux,\r\nDNS technique,\r\nBotnets,\r\nPhishing,\r\nMalware delivery sites,\r\nCompromised hosts,\r\nProxies,\r\nPeer-to-peer networking,",
"modification_date": "2023-10-04T10:44:37.725000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 136,
"key": "ntfs-files-attributes",
"unprotect_id": "U0501",
"name": "NTFS Files Attributes",
"description": "Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes and Data known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files. \r\n\r\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",
"resources": "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/",
"creation_date": "2019-03-23T18:30:15Z",
"tags": "ntfs",
"modification_date": "2023-10-04T10:42:32.579000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [
23,
380,
381,
425,
450
],
"contributors": []
},
{
"id": 135,
"key": "hiding-mechanisms",
"unprotect_id": "U1003",
"name": "Hiding Mechanisms",
"description": "Malware often uses various techniques to hide its presence on a system and avoid detection. One common method is to modify or create entries in the system registry, which is a database of configuration settings for the operating system and installed applications. By modifying these settings, malware can hide itself from security software or other programs that might detect its presence.\r\n\r\nAnother technique is to modify or create critical system files, such as system DLLs or driver files. This can allow the malware to gain access to system resources and remain hidden from security software. Similarly, malware can hide itself in temporary folders or other locations on the system that are not routinely scanned for malicious activity. By using these and other techniques, malware can avoid detection and continue to operate on a compromised system.",
"resources": "https://www.cimcor.com/blog/5-places-ransomware-and-malware-can-hide-that-you-may-never-check",
"creation_date": "2019-03-23T18:28:07Z",
"tags": "hide presence,\r\nsystem registry,\r\ncritical system files,\r\ntemporary folders,\r\noperating system,\r\ninstalled applications,",
"modification_date": "2023-10-04T10:42:30.466000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [
331
],
"contributors": []
},
{
"id": 134,
"key": "wiping-or-encrypting",
"unprotect_id": "U0301",
"name": "Wiping or Encrypting",
"description": "Anti-forensic techniques are methods used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using wiping or encryption techniques to remove its own trace from the system. \r\n\r\n In some cases, malware may use wiping or encryption as a decoy, in order to distract security professionals and hide its true purpose. In other cases, it may use these techniques as part of a sabotage operation, in order to destroy data or cause other damage to the system. \r\n\r\nOverall, wiping and encryption techniques are just one of the many anti-forensic techniques that malware can use to evade detection and cause harm to computer systems.",
"resources": "https://securingtomorrow.mcafee.com/business/pseudo-ransomware-killdisk-creates-smoke-screen-cybercriminals/",
"creation_date": "2019-03-23T18:25:05Z",
"tags": "Wiping,\r\nEncryption,\r\nAnti-forensic,\r\nSabotage,\r\nEvade detection,",
"modification_date": "2023-10-04T10:44:54.107000Z",
"category": [
8
],
"rules": [
21,
42
],
"attachments": [],
"featured_api": [
23,
450
],
"contributors": []
},
{
"id": 133,
"key": "indicator-removal-clear-windows-event-logs",
"unprotect_id": "T1070.001,U0302",
"name": "Indicator Removal: Clear Windows Event Logs",
"description": "Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.\r\n\r\nEvent logs can provide valuable information about the actions taken by an attacker during a security breach, including the time and date of the attack, the source of the attack, and any changes made to the system. However, attackers may attempt to delete or clear event logs to conceal their actions and evade detection.\r\n\r\nForensic investigators can look for signs of event log tampering by checking for the presence of event clear ID 1102, which indicates that the audit log has been cleared. This can be an indication that an attacker has attempted to cover their tracks.",
"resources": "https://0x00sec.org/t/anti-forensic-and-file-less-malware/10008#221-disabling-event-logging\nhttps://attack.mitre.org/techniques/T1070/001/\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102",
"creation_date": "2019-03-23T18:23:34Z",
"tags": "Defense Evasion\r\nevent, \r\nlog,\r\nwevtutil cl system,\r\nwevtutil cl application,\r\nwevtutil cl security,\r\nwipe logs,\r\nAPT28,\r\nAPT32,\r\nAPT38,\r\nAPT41,",
"modification_date": "2023-10-04T10:44:13.015000Z",
"category": [
8,
10
],
"rules": [
11,
12
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 131,
"key": "kill-process",
"unprotect_id": "U0403",
"name": "Kill Process",
"description": "Malware often employs techniques to evade detection and hinder the efforts of security experts in analyzing its behavior. One notable method involves terminating processes associated with anti-virus software or monitoring tools.\r\n\r\nFor example, malware may specifically target processes like wireshark.exe, ida.exe, or procmon.exe, which are frequently used by analysts to observe and scrutinize running processes on a system. By terminating these processes, malware effectively obstruct security experts from acquiring insight into its operations and impedes their ability to analyze its inner workings.",
"resources": "https://www.bleepingcomputer.com/news/security/coinminer-comes-with-a-process-kill-list-to-keep-competitors-at-bay/",
"creation_date": "2019-03-23T18:09:35Z",
"tags": "Wireshark.exe,\r\nKill process,\r\nIda.exe,\r\nProcmon.exe,\r\nDisrupt,\r\nmonitoring",
"modification_date": "2023-10-04T10:43:58.020000Z",
"category": [
6
],
"rules": [
35,
36,
46
],
"attachments": [],
"featured_api": [
23,
24,
26,
27,
28,
425
],
"contributors": []
},
{
"id": 130,
"key": "opaque-predicate",
"unprotect_id": "U0201,B0032.019",
"name": "Opaque Predicate",
"description": "Opaque predicate is a term used in programming to refer to decision making where there is only one possible outcome. This can be achieved through the use of complex or hard-to-understand logic, such as calculating a value that will always return True. \r\n\r\nOpaque predicates are often used as anti-disassembling techniques, as they can make it difficult for an analyst to understand the code and determine its intent. By using opaque predicates, malware authors can make their code more difficult to reverse engineer, which can help to evade detection and analysis.",
"resources": "https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/",
"creation_date": "2019-03-23T18:03:47Z",
"tags": "Complex logic, Hard-to-understand code, Single-path decision making, Always-true conditions, Anti-disassembling, Reverse engineering evasion, Malware detection evasion",
"modification_date": "2023-10-04T10:44:19.865000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 129,
"key": "code-transposition",
"unprotect_id": "U0202",
"name": "Code Transposition",
"description": "Code transposition is a technique used by malware authors to evade detection and analysis by rearranging the instructions of a piece of code without changing its behavior. This technique is used to make the code more difficult to read and understand for disassemblers and reverse engineers, as well as to hide the true intent of the code.\r\n\r\nThere are two main methods of implementing code transposition. The first method involves the use of a random number generator to randomly rearrange the instructions of the code. This makes it difficult for analysts to determine the original order of the instructions, and can make the code difficult to follow and understand.\r\n\r\nThe second method of code transposition involves the use of a mathematical function to rearrange the instructions in a predictable and consistent manner. This allows the code to be easily transposed back to its original form if necessary, but still makes it difficult for analysts to follow and understand the code.\r\n\r\nOverall, code transposition is a technique used by malware authors to make their code more difficult to analyze and understand, and to evade detection by security tools and analysts.",
"resources": "https://sensorstechforum.com/advanced-obfuscation-techniques-malware/",
"creation_date": "2019-03-23T18:01:30Z",
"tags": "Instruction reordering, Anti-disassembling, Obfuscation, Code rearrangement, Random number generator, Mathematical function, Code complexity",
"modification_date": "2023-10-04T10:44:38.164000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 128,
"key": "register-reassignment",
"unprotect_id": "U0203",
"name": "Register Reassignment",
"description": "Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments may not be immediately apparent or may change over time.\r\n\r\nThis technique is often used in malware to evade detection and analysis by security tools, as it can make the code more complex and less predictable. By switching registers in different versions of the code, the malware can evade signature-based detection techniques and make it more difficult for analysts to understand and analyze the code.",
"resources": "https://sensorstechforum.com/advanced-obfuscation-techniques-malware/",
"creation_date": "2019-03-23T18:00:09Z",
"tags": "Code obfuscation, Register modification, Code complexity, Signature evasion",
"modification_date": "2023-10-04T10:42:32.974000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 127,
"key": "inserting-garbage-bytes",
"unprotect_id": "U0204, B0032.007",
"name": "Inserting Garbage Bytes",
"description": "Garbage bytes are random or meaningless data that is inserted into a program's code in order to make reverse engineering and analysis more difficult. This is an anti-disassembling technique, as the insertion of these random bytes can cause disassemblers to misinterpret the code and produce incorrect disassembly results.\r\n\r\nThe insertion of garbage bytes is usually used in conjunction with other techniques, such as code transposition or register reassignment. This can make the code even harder to analyze and understand, as the disassembler will not only have to deal with the incorrect disassembly caused by the garbage bytes, but also with the other obfuscation techniques that are being used.\r\n\r\nThe goal of this technique is to make it more difficult for a reverse engineer or disassembler to understand the code's behavior and intentions. By inserting random or meaningless data into the code, the disassembler will be unable to accurately reconstruct the original program, making it harder to analyze and understand.",
"resources": "https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/static-analysis-of-artefacts-toolset.pdf",
"creation_date": "2019-03-23T17:52:32Z",
"tags": "Random data, Meaningless data,\r\nCode obfuscation,\r\nCode transposition,\r\nRegister reassignment,\r\nCode confusion,\r\nObfuscated code,",
"modification_date": "2023-10-04T10:42:53.166000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 126,
"key": "call-trick",
"unprotect_id": "U0205",
"name": "Call Trick",
"description": "The call trick is an anti-disassembling technique that involves modifying the default function's return address. This can be used in conjunction with other techniques, such as the insertion of garbage bytes, to break disassemblers. Disassemblers that use recursive traversal or linear sweep may be particularly vulnerable to this trick, as they may be unable to accurately interpret the next instruction after the call, making them susceptible to other anti-disassembly techniques.",
"resources": "https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_WP.pdf",
"creation_date": "2019-03-23T17:49:41Z",
"tags": "Call trick, Return address modification, Anti-disassembling, Garbage bytes, Disassembler evasion, Function call interception,\r\nRecursive traversal disassembly,\r\nLinear sweep disassembly,",
"modification_date": "2023-10-04T10:44:42.438000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 125,
"key": "nop-sled",
"unprotect_id": "U0206",
"name": "NOP Sled",
"description": "In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will \"slide\" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution when the target of a branch instruction is not known precisely.\r\n\r\nFor example, suppose an attacker has found a buffer overflow vulnerability in a program and wants to exploit it to execute arbitrary code. They might insert a NOP slide at the start of the buffer, followed by the code they want to execute. When the program overflows the buffer and branches to the start of the buffer, it will slide through the NOP instructions until it reaches the attacker's code, which will then be executed.\r\n\r\nThe NOP slide technique can be used in conjunction with shellcode to create more effective exploits. Shellcode is a small piece of code that is used as the payload in a software exploit. It typically contains the instructions needed to perform a specific action, such as spawning a shell, creating a network connection, or injecting code into another process.\r\n\r\nTo use a NOP slide with shellcode, the attacker would first insert a NOP sequence at the start of the code section they are targeting. They would then insert their shellcode after the NOP sequence, so that it is located at the final, desired destination. When the program branches to the start of the code section, it will slide through the NOP instructions until it reaches the shellcode, which will then be executed.\r\n\r\nUsing a NOP slide with shellcode can help to make exploits more reliable, as it provides a \"buffer\" of NOP instructions that can help to align the program's execution flow with the shellcode. This can help to prevent the exploit from failing due to small variations in the branch target address. It can also make it more difficult for defenses to detect and block the exploit, as the NOP instructions can help to obscure the shellcode.\r\n\r\nNOP slides are a simple but effective technique for directing program execution in situations where the exact branch target is not known. They can also be used in conjunction with other exploit techniques, such as return-oriented programming, to create more complex and powerful exploits.",
"resources": "https://silviocesare.wordpress.com/2009/05/13/removing-semantic-nops-from-malware/",
"creation_date": "2019-03-23T17:46:42Z",
"tags": "NOP sled,\r\nNOP ramp,\r\nNOP padding,\r\nNOP sequence,\r\nNOP-based execution,\r\nInstruction padding,\r\nCode slide,\r\nBuffer overflow,\r\nReturn-oriented programming,\r\nExploit mitigation,\r\nShellcode execution,",
"modification_date": "2023-10-04T10:42:28.303000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
3,
340
],
"contributors": []
},
{
"id": 124,
"key": "inline-hooking",
"unprotect_id": "U1211, F0015.002",
"name": "Inline Hooking",
"description": "Inline hooking is a technique used to intercept calls to target functions. It is commonly used by antiviruses, sandboxes, and malware to perform a variety of tasks, such as checking parameters, shimming, logging, spoofing returned data, and filtering calls.\r\n\r\nThe process of inline hooking involves directly modifying the code within the target function, usually by overwriting the first few bytes with a jump instruction to redirect execution to a different function. This allows processing to be performed before or after the target function executes. Rootkits often use hooks to modify data returned from system calls to hide their presence, while security software uses them to prevent or monitor potentially malicious operations.\r\n\r\nThe hooks are placed by directly modifying code within the target function (inline modification), usually by overwriting the first few bytes with a jump; this allows execution to be redirected before the function does any processing. Most hooking engines use a 32-bit relative jump (opcode 0xE9), which takes up five bytes of space.\r\n\r\nHere is a general outline of the process of implementing an inline hook:\r\n\r\n1. Determine the address of the target function and the code that needs to be replaced.\r\n\r\n2. Create a trampoline function that will be used to execute the original code from the target function after the hook has been applied.\r\n\r\n3. Calculate the relative address of the trampoline function and store it in a jump instruction.\r\n\r\n4. Overwrite the first few bytes of the target function with the jump instruction.\r\n\r\n5. Modify the hook function to transfer control back to the trampoline function after performing the desired processing.",
"resources": "http://www.binaryguard.com/bgc/malware/sandbox/2015/11/09/dissecting_inline_hooks.html",
"creation_date": "2019-03-23T17:39:46Z",
"tags": "Inline hooking,\r\nIntercept calls,\r\nTarget functions,\r\nCheck parameters,\r\nShim,\r\nLog,\r\nSpoof returned data,\r\nFilter calls,\r\nRootkits,",
"modification_date": "2023-10-04T10:44:59.702000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
340,
425
],
"contributors": []
},
{
"id": 123,
"key": "lolbins",
"unprotect_id": "U1004",
"name": "LOLbins",
"description": "A lolbin (short for \"Living Off the Land Binaries\") is a legitimate Windows utility that can be used by adversaries to execute arbitrary commands. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, the Program Compatibility Assistant (pcalua.exe) and components of the Windows Subsystem for Linux (WSL) are examples of lolbins that can be used for this purpose.\r\n\r\nAdversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.",
"resources": "https://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599\nhttps://lolbas-project.github.io/",
"creation_date": "2019-03-23T17:37:57Z",
"tags": "lolbin,\r\nWindows utilities,\r\nexecute commands,\r\nProgram Compatibility Assistant (pcalua.exe),\r\nWindows Subsystem for Linux (WSL),\r\nCommand-Line Interface,",
"modification_date": "2023-10-04T10:44:58.518000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 122,
"key": "com-hijacking",
"unprotect_id": "U1212",
"name": "COM Hijacking",
"description": "COM hijacking is a technique used by adversaries to insert malicious code into the Windows operating system through the Microsoft Component Object Model (COM). \r\n\r\nCOM is a system that allows software components to interact with each other, and adversaries can abuse this system to execute their own code in place of legitimate software. To achieve this, they alter references and relationships in the COM system by modifying the Windows Registry. Specifically, they replace a reference to a legitimate system component with a reference to their own malicious code. \r\n\r\nWhen the legitimate component is executed through normal system operation, the adversary's code is executed instead. This can provide a means for the adversary to achieve persistence, as they can choose to hijack objects that are used frequently enough to maintain a consistent level of persistence. However, they must be careful not to break noticeable functionality within the system, as this could cause system instability and potentially lead to detection.",
"resources": "https://www.endgame.com/blog/technical-blog/how-hunt-detecting-persistence-evasion-com",
"creation_date": "2019-03-23T17:34:46Z",
"tags": "Microsoft Component Object Model (COM),\r\nsoftware components,\r\ninteraction,\r\nWindows operating system,\r\npersistence,",
"modification_date": "2023-10-04T10:43:57.166000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
331,
469
],
"contributors": []
},
{
"id": 121,
"key": "ctrlinject",
"unprotect_id": "U1213",
"name": "Ctrl+Inject",
"description": "The \"Control Signal Handler Callback\" technique involves injecting malicious code into a process by using a callback function for control signal handlers. When a control signal, such as Ctrl+C, is received by a process, the system creates a new thread to execute a function to handle the signal. This thread is typically created by the legitimate process \"csrss.exe\" in the system, making it more difficult to detect the injected code.\r\n\r\nTo successfully implement this technique, it is necessary to bypass certain Windows protections such as Pointer Encoding and Control Flow Guard. Pointer encoding is used to protect against pointer corruption, and the technique involves reproducing the encoding to appear legitimate. Control Flow Guard is a security mechanism that prevents memory corruption, such as buffer overflow, and the technique uses the API `SetProcessValidCallTargets` to validate the call target. By triggering a control signal, the injected code is executed.\r\n\r\nHere is a general outline of the process of injecting code using control signal handlers and callback functions:\r\n\r\n1. Determine the address of the callback function for control signals in the target process.\r\n\r\n2. Create a trampoline function that will be used to execute the original code from the callback function after the injection has been applied.\r\n\r\n3. Calculate the relative address of the trampoline function and store it in a jump instruction.\r\n\r\n4. Overwrite the callback function with the jump instruction and the address of the injected code.\r\n\r\n5. Modify the injected code to transfer control back to the trampoline function after executing the desired processing.\r\n\r\n6. Trigger a control signal, such as Ctrl+C, in the target process to execute the injected code.",
"resources": "https://blog.ensilo.com/ctrl-inject",
"creation_date": "2019-03-23T17:34:01Z",
"tags": "callback function, control signal, process, system, thread, csrss.exe, detection, injection, code, console process, pointer encoding, Control Flow Guard, memory corruption, buffer overflow, SetProcessValidCallTargets",
"modification_date": "2023-10-04T10:43:59.300000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
419
],
"contributors": []
},
{
"id": 120,
"key": "propagate",
"unprotect_id": "U1214",
"name": "Propagate",
"description": "This technique involves modifying the internal properties of a window in order to intercept and modify or monitor the behavior of the window when it receives messages. To do this, an application creates a buffer containing shellcode and injects it into the target process. \r\n\r\nThen, it modifies the internal structure used by the specific properties, such as UxSubclassInfo and CC32SubclassInfo, to point to the payload. \r\n\r\nFinally, the application modifies the property of the window. When a message is sent to the window, the shellcode is executed. This technique is known as Window Subclassing and is often used by adversaries to achieve persistence or execute malicious code.",
"resources": "http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/",
"creation_date": "2019-03-23T17:32:45Z",
"tags": "Window Subclassing, Windows functionality, internal structure, UxSubclassInfo, CC32SubclassInfo, shellcode, target process, payload, message, injection",
"modification_date": "2023-10-04T10:42:30.209000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
290
],
"contributors": []
},
{
"id": 119,
"key": "process-doppelganging",
"unprotect_id": "U1215",
"name": "Process Doppelgänging",
"description": "This technique leverages the `Transactional NTFS` functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform the modification, then commit the modification, avoiding any corruption. The modification either completes successfully or does not begin.\r\n\r\nProcess Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting in a process injection. The malicious file will be created inside a transaction then committed to the legitimate file, then executed.\r\n\r\nHere are the detailed steps to reproduce the Process Doppelgänging technique:\r\n\r\n1. Create a new transaction object using `NtCreateTransaction` and store the handle in `hTransaction`.\r\n\r\n2. Open the target file for the transaction using `CreateFileTransacted` and store the handle in `hTransactedFile`.\r\n\r\n3. Open the payload file using `CreateFile` and store the handle in hFile.\r\n\r\n4. Query the size of the payload file using `GetFileSizeEx` and store the result in `fsz`.\r\n\r\n5. Allocate a buffer for the payload file using `NtAllocateVirtualMemory` and store the pointer in Buffer.\r\n\r\n6. Read the payload file into the buffer using `ReadFile`.\r\n\r\n7. Close the handle to the payload file.\r\n\r\n8. Set the size of the target file using `SetFileInformationByHandle` and the `FileEndOfFileInfo` structure.\r\n\r\n9. Map the target file into memory using `NtMapViewOfSection` and store the result in `MemoryPtr`.\r\n\r\n10. Copy the payload file from the buffer into the mapped memory using `RtlCopyMemory`.\r\n\r\n11. Unmap the target file from memory using `NtUnmapViewOfSection`.\r\n\r\n12. Commit the transaction using `NtCommitTransaction`.\r\n\r\n13. Create a new process using `NtCreateUserProcess` and store the handle in `hProcess`.\r\n\r\n14. Allocate memory for the process parameters using `NtAllocateVirtualMemory` and store the result in `ProcessParameters`.\r\n\r\n15. Set the process parameters using `RtlCreateProcessParametersEx`.\r\n\r\n16. Create the process using `NtCreateSection` and `NtMapViewOfSection`.\r\n\r\n17. Start the process using `NtCreateThreadEx` and store the handle in `hThread`.\r\n\r\n18. Wait for the process to finish execution using `WaitForSingleObject`.\r\n\r\n19. Close the handle to the process and thread.",
"resources": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf",
"creation_date": "2019-03-23T17:31:06Z",
"tags": "Transactional NTFS, Windows, data integrity, write, modify file, unexpected error, transactional mode, commit, process injection, malicious file, legitimate file,",
"modification_date": "2023-10-04T10:45:01.173000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
2,
13,
16,
23,
364,
380,
388,
450
],
"contributors": []
},
{
"id": 118,
"key": "pe-injection",
"unprotect_id": "U1216, E1055.002",
"name": "PE Injection",
"description": "Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling `CreateRemoteThread`).\r\n\r\nOne advantage of PE injection over the `LoadLibrary` technique is that the malware does not have to drop a malicious DLL on the disk. The malware allocates memory in a host process (e.g. `VirtualAllocEx`), and instead of writing a “DLL path” it writes its malicious code by calling `WriteProcessMemory`. However, the obstacle with this approach is the change of the base address of the copied image.\r\n\r\nWhen a malware injects its PE into another process it will have a new base address which is unpredictable, requiring it to dynamically recompute the fixed addresses of its PE. To overcome this, the malware needs to find its relocation table address in the host process and resolve the absolute addresses of the copied image by looping through its relocation descriptors.",
"resources": "http://blog.sevagas.com/?PE-injection-explained",
"creation_date": "2019-03-23T17:30:20Z",
"tags": "",
"modification_date": "2023-10-04T10:42:59.673000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
23,
24
],
"contributors": []
},
{
"id": 117,
"key": "iat-hooking",
"unprotect_id": "U1217, F0015.003",
"name": "IAT Hooking",
"description": "IAT hooking is a way to run malicious code by modifying the Import Address Table of a specific executable. Consisting of replacing one legitimate function from imported DLL by a malicious one. \r\n\r\nIAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, with inline hooking, malware modifies the API function itself.",
"resources": "https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108",
"creation_date": "2019-03-23T17:28:15Z",
"tags": "iat",
"modification_date": "2023-10-04T10:42:26.592000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
7,
249
],
"contributors": []
},
{
"id": 116,
"key": "injection-using-shims",
"unprotect_id": "U1218, E1055.m03",
"name": "Injection using Shims",
"description": "Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an executable for both persistence and injection. Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes.",
"resources": "https://www.andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\nhttps://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf",
"creation_date": "2019-03-23T17:27:38Z",
"tags": "shims",
"modification_date": "2023-10-04T10:44:28.934000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
7,
381,
425
],
"contributors": []
}
]
}
