HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": "https://unprotect.it/api/techniques/?format=api&page=6",
"previous": "https://unprotect.it/api/techniques/?format=api&page=4",
"results": [
{
"id": 192,
"key": "aspack",
"unprotect_id": "U1411, F0001.013",
"name": "AsPack",
"description": "ASPack is an EXE packer created to compress Win32 executable files and to protect them against reverse engineering.\r\n\r\nThe solution makes Windows programs and libraries smaller up to 70% what leads to a reduction in the download time of compressed applications in local networks and the Internet because of their smaller size compared to uncompressed apps.\r\n\r\nThe ASPack exe compressor also provides protection to programs/applications from unprofessional analysis, debuggers and decompilers.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.aspack.com/",
"creation_date": "2022-06-19T07:10:40.496000Z",
"tags": "aspack",
"modification_date": "2023-10-04T10:42:59.506000Z",
"category": [
12
],
"rules": [
95,
109
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 191,
"key": "vmprotect",
"unprotect_id": "U1410, F0001.010",
"name": "VMProtect",
"description": "VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free upgrades and much more.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://vmpsoft.com/",
"creation_date": "2022-06-19T07:07:02.355000Z",
"tags": "vmprotect",
"modification_date": "2023-10-04T10:43:02.773000Z",
"category": [
12
],
"rules": [
100,
108
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 190,
"key": "alienyze",
"unprotect_id": "U1409",
"name": "Alienyze",
"description": "Alienyze is a software packer designed to compress executable files, allowing them to reduce the file size of their software as much as possible.\r\n\r\n\r\n- Anti-Debugger techniques that detect and fool present debuggers\r\n\r\n- Anti-VM techniques that detect sandbox & virtualized environments\r\n\r\n- Protection from disassemblers and software analysis tools\r\n\r\n- Hardware ID locking for making applications machine dependant\r\n\r\n- Integrity checks that detect code patching & tampering\r\n\r\n- Customizable compression and encryption of the applications code\r\n\r\n- Real time protection in running application\r\n\r\n- Project configuration settings Load, Save support\r\n\r\n- Multilingual user interface, language selection support",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://alienyze.com/",
"creation_date": "2022-06-19T07:05:32.278000Z",
"tags": "",
"modification_date": "2023-10-04T10:42:56.211000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 189,
"key": "fsg",
"unprotect_id": "U1408",
"name": "FSG",
"description": "The free, simple FSG software compresses both small and large files. While it is popular and commonly used to hide malware code, it is also relatively simple to unpack through a decompression loop that writes the data to the final destination.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/FSG",
"creation_date": "2022-06-19T06:59:46.574000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:05.013000Z",
"category": [
12
],
"rules": [
107
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 188,
"key": "mew",
"unprotect_id": "U1407",
"name": "MEW",
"description": "MEW is an EXE compression tool that was specifically designed to handle small files.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MEW-SE.shtml",
"creation_date": "2022-06-19T06:57:10.467000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:04.676000Z",
"category": [
12
],
"rules": [
106
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 187,
"key": "themida",
"unprotect_id": "U1406, F0001.011",
"name": "Themida",
"description": "Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption... \r\n\r\n- Anti-debugger techniques that detect/fool any kind of debugger\r\n\r\n- Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers\r\n\r\n- Different encryption algorithms and keys in each protected application\r\n\r\n- Anti-API scanners techniques that avoids reconstruction of original import table\r\n\r\n- Automatic decompilation and scrambling techniques in target application\r\n\r\n- Virtual Machine emulation in specific blocks of code\r\n\r\n- Advanced Mutator engine\r\n\r\n- Anti-disassembly techniques for any static and interactive disassembler\r\n\r\n- Multiple polymorphic layers with more than 50.000 permutations\r\n\r\n- Anti-monitors techniques against file and registry monitors\r\n\r\n- Random garbage code insertion between real instructions\r\n\r\n- Advanced Threads network communication\r\n\r\n- Anti-Memory patching and CRC techniques in target application\r\n\r\n- Metamorphic engine to scramble original instructions\r\n\r\n- Advanced Entry point protection\r\n\r\n- Dynamic encryption in target application\r\n\r\n- Anti-tracing code insertion between real instructions\r\n\r\n- Advanced Anti-breakpoint manager\r\n\r\n- Real time protection in target application\r\n\r\n- Compression of target application, resources and protection code\r\n\r\n- Anti-“debugger hiders” techniques\r\n\r\n- Full mutation in protection code to avoid pattern recognition\r\n\r\n- Real-time simulation in target application\r\n\r\n- Intelligent protection code insertion inside target application\r\n\r\n- Random internal data relocation",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.oreans.com/Themida.php",
"creation_date": "2022-06-19T06:54:28.145000Z",
"tags": "themida",
"modification_date": "2023-10-04T10:44:28.014000Z",
"category": [
12
],
"rules": [
98,
105
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 186,
"key": "exestealth",
"unprotect_id": "U1405",
"name": "ExeStealth",
"description": "ExeStealth is a tool that encrypts files to avoid detection and hacking. Designed by WebToolMaster, this free software is simple to implement and one of the best anti-hacking tools on the market, which also makes it effective at hiding malware code in your system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.webtoolmaster.com/exestealth.htm",
"creation_date": "2022-06-19T06:40:57.569000Z",
"tags": "ExeStealth",
"modification_date": "2023-10-04T10:43:03.974000Z",
"category": [
12
],
"rules": [
104
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 185,
"key": "alternate-exe-packer",
"unprotect_id": "U1404",
"name": "Alternate EXE Packer",
"description": "EXE Packer is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed.\r\n\r\nIf a file is compressed the physical file-size is reduced on the respective device. A compressed file decompresses itself while being executed and can be used without this program. This program is freeware. It requires the .NET-framework 2.0 (already included in operation system since Windows Vista).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.alternate-tools.com/pages/c_exepacker.php?lang=ENG",
"creation_date": "2022-06-19T06:38:02.569000Z",
"tags": "packer",
"modification_date": "2023-10-04T10:43:02.439000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 184,
"key": "mpress",
"unprotect_id": "U1403",
"name": "MPRESS",
"description": "MPRESS is a free packer. It makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.\r\n\r\nIt uses in-place decompression technique, which allows to decompress the executable without memory overhead or other drawbacks; it also protects programs against reverse engineering by non-professional hackers. Programs compressed with MPRESS run exactly as before, with no runtime performance penalties.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.autohotkey.com/mpress/mpress_web.htm",
"creation_date": "2022-06-19T06:36:36.466000Z",
"tags": "MPRESS",
"modification_date": "2023-10-04T10:43:03.756000Z",
"category": [
12
],
"rules": [
103
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 183,
"key": "upx-ultimate-packer-for-executables",
"unprotect_id": "U1402, F0001.008",
"name": "UPX: Ultimate Packer for Executables",
"description": "UPX is a tool that is used to compress and encrypt executables in order to make them smaller and more difficult to reverse engineer. UPX is free to use, portable, and can be extended with additional features. It is known for its high performance and compatibility with a wide range of executable formats. UPX is commonly used by software developers to reduce the size of their programs and to protect their intellectual property. It is also used by malware authors to make their malicious programs more difficult to detect and analyze.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://en.wikipedia.org/wiki/UPX\nhttps://upx.github.io/",
"creation_date": "2022-06-19T06:06:02.419000Z",
"tags": "UPX,\r\nExecutable packer,\r\nCompression,\r\nEncryption,\r\nPortability,\r\nExtendability,\r\nHigh performance,",
"modification_date": "2023-10-04T10:43:29.826000Z",
"category": [
12
],
"rules": [
50,
94,
102
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 182,
"key": "unloading-sysmon-driver",
"unprotect_id": "U0407",
"name": "Unloading Sysmon Driver",
"description": "Sysmon is a tool that can be used to monitor system activity on Windows systems. It records various types of events, such as process creation, network connections, and registry changes, and stores them in the Windows Event Log. Security analysts can use this information to detect and investigate malicious activity on a system.\r\n\r\nOne way that malware can evade detection by Sysmon is by unloading the Sysmon driver. The Sysmon driver is the kernel-mode component of Sysmon that is responsible for recording the events that Sysmon monitors. By unloading this driver, the malware can prevent Sysmon from recording any further events, and thus avoid being detected.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver",
"creation_date": "2022-06-19T05:53:40.014000Z",
"tags": "Sysmon,\r\nsystem activity,\r\nprocess creation,\r\nnetwork connections,\r\nregistry changes,\r\nWindows Event Log,\r\nSysmon driver,",
"modification_date": "2023-10-04T10:43:01.150000Z",
"category": [
6
],
"rules": [
128
],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 181,
"key": "shellcode-injection-via-createthreadpoolwait",
"unprotect_id": "U1236",
"name": "Shellcode Injection via CreateThreadpoolWait",
"description": "Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the `CreateThreadpoolWait` function, which is a part of the Windows thread pool API.\r\n\r\nIn the context of shellcode injection, `CreateThreadpoolWait` is used to create a wait object that is associated with a thread pool. The malware can then use this wait object to execute its shellcode within the context of the targeted process, by passing the shellcode as a callback function to the `CreateThreadpoolWait` function.\r\n\r\nHere is a summary of the steps:\r\n\r\n1. The malware creates an event object with the `CreateEvent` function, and sets it to the Signaled state.\r\n\r\n2. The malware allocates read-write-execute (RWX) memory for the shellcode using the `VirtualAlloc` function and writes the shellcode to this memory.\r\n\r\n3. The malware creates a wait object using the `CreateThreadpoolWait` function and specifies the address of the shellcode as the callback function.\r\n\r\n4. The malware sets the wait object using the `SetThreadpoolWait` function.\r\n\r\n5. The malware waits for the wait object to become signaled using the `WaitForSingleObject` function. When the wait object is signaled, the callback function (which contains the shellcode) is executed.\r\n\r\nOther techniques injection includes using APIs such as `CreateRemoteThread`, `QueueUserWorkItem`, and `NtCreateThreadEx`.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait",
"creation_date": "2022-06-19T05:36:49.903000Z",
"tags": "Shellcode injection,\r\nProcess injection,\r\nCreateThreadpoolWait,\r\nEvent object,\r\nVirtualAlloc,\r\nCallback function,\r\nSetThreadpoolWait,\r\nWaitForSingleObject,",
"modification_date": "2023-10-04T10:44:58.752000Z",
"category": [
4
],
"rules": [
132
],
"attachments": [],
"featured_api": [
3
],
"contributors": []
},
{
"id": 180,
"key": "thwarting-stack-frame-analysis",
"unprotect_id": "U0219",
"name": "Thwarting Stack-Frame Analysis",
"description": "Thwarting Stack-Frame Analysis is a technique used by malware to make it more difficult for security analysts to reverse engineer and analyze the code. A stack frame is a collection of data associated with a function, including local variables, arguments passed to the function, and the return address. Disassemblers can use information from the stack frame to understand a function's behavior.\r\n\r\nHowever, malware authors can use various techniques to defeat this analysis and make it harder to understand the code. For example, they may use complex control flow structures, such as nested loops and conditionals, to make it difficult for the disassembler to track the flow of execution. \r\n\r\nThey may also use techniques like code obfuscation and API hashing to hide the names of functions and make it harder to identify potentially malicious behavior. By using these techniques, malware authors can make it more difficult for security analysts to analyze and understand their code, and thwart stack-frame analysis.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
"creation_date": "2022-06-13T23:57:13.593000Z",
"tags": "Stack frame,\r\nDisassembly,\r\nControl flow,",
"modification_date": "2023-10-04T10:42:59.213000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 179,
"key": "misusing-structured-exception-handlers",
"unprotect_id": "U0218, B0032.016",
"name": "Misusing Structured Exception Handlers",
"description": "Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done is by using the FS segment register to gain access to the Thread Environment Block (TEB), which contains a pointer to the Structured Exception Handler (SEH) chain. \r\n\r\nThe SEH chain functions like a stack, with the most recently pushed function being the one that is executed when an exception occurs. By manipulating the SEH chain, malware authors can make it more difficult for analysts to understand the code and identify any potentially malicious behavior.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
"creation_date": "2022-06-13T23:55:04.099000Z",
"tags": "Structured Exception Handlers (SEH),\r\nException handling,\r\nThread Environment Block (TEB),\r\nStructured Exception Handler (SEH) chain,\r\nFS segment register,",
"modification_date": "2023-10-04T10:44:21.079000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 178,
"key": "procenvinjection-remote-code-injection-by-abusing-process-environment-strings",
"unprotect_id": "U1235",
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"description": "This method allows to inject custom code into a remote process without using `WriteProcessMemory` - It will use the `lpEnvironment` parameter in `CreateProcess` to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.\r\n\r\nThe `lpEnvironment` parameter in `CreateProcess` allows us to specify a custom environment string for the target process. The environment string contains a set of environment variable entries, such as `PATH=C:\\Windows\\system32;C:\\Windows`. Each environment variable in the list is separated by a null terminator character, and the final entry in the list is a blank string (two null terminator characters). When a new process is created, the environment string will be copied to the virtual memory of the process and it can then be accessed via the PEB.\r\n\r\nIn summary, the injector process takes the following steps:\r\n\r\n1. Create a generic \"code loader\" block which doesn't contain any 0x00 characters - values will be encoded with XOR if necessary.\r\n2. Use `GetEnvironmentStringsW` to retrieve the existing environment string and copy this to a temporary buffer. Our \"generic code loader\" entry will be appended to the end of the existing entries. Some programs make use of the environment variables, so it is not a good idea to overwrite the existing entries.\r\n3. Create a suspended instance of the target EXE process using `CreateProcess` with our custom environment string `lpEnvironment`. We will also use the `CREATE_UNICODE_ENVIRONMENT` flag to specify a wide-char environment value, otherwise the string will be converted from ANSI to wide-char which will break our loader code.\r\n4. Use `NtQueryInformationProcess` to retrieve the PEB address for the target process.\r\n5. Call `NtCreateThreadEx` to call Sleep(0) in the target process and wait for the thread to exit. This will force the necessary PEB fields to become initialised in the target process.\r\n6. Calculate the address of the environment string in the target process (PEB-> `RtlUserProcessParameters` -> Environment)\r\n7. Locate the address of our loader code within the environment string. Call `VirtualProtectEx` to make this data executable.\r\n8. Call `NtCreateThreadEx` to execute the loader code within the target process. This code will read the final payload back from the injector process and execute it.\r\n9. Restore the original memory protection after the payload has finished executing.\r\n10. Call `ResumeThread` to continue normal execution of the target process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.x86matthew.com/view_post?id=proc_env_injection",
"creation_date": "2022-06-13T23:45:30.988000Z",
"tags": "",
"modification_date": "2023-10-04T10:44:56.710000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
12,
22,
24,
357,
425
],
"contributors": []
},
{
"id": 177,
"key": "disabling-event-tracing-for-windows-etw",
"unprotect_id": "U0306",
"name": "Disabling Event Tracing for Windows (ETW)",
"description": "Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll. \r\n\r\nSince ntdll.dll is a DLL loaded into the process of a binary, an attacker can have full control over this DLL and therefore the ETW functionality. The most common nypassing technique is patching the function EtwEventWrite which is called to write/log ETW events. It is possible to fetch its address in ntdll.dll, and replace its first instructions with instructions to return 0 (SUCCESS).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/",
"creation_date": "2022-04-19T00:09:38.360000Z",
"tags": "anti-forensic",
"modification_date": "2023-10-04T10:42:56.937000Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 176,
"key": "anti-upx-unpacking",
"unprotect_id": "U1008",
"name": "Anti-UPX Unpacking",
"description": "Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header includes checksums, packed and unpacked sizes, and compression details.\r\n\r\nThere are some methods to bypass unpacking using \"upx -d\" since a long time ago.\r\n\r\nOne easy way is to change section names to different strings, this is the example. The normal section names packed by UPX are \"UPX0\", \"UPX1\" .. and \".rsrc\". The unpacking command \"upx -d\" raises this kind of exception of \"CantUnpackException: file is possibly modified/hacked/protected; take care!\" in this case and results in preventing from unpacking.\r\n\r\nAnother method is zero-padding against any size or checksum infos in UPX reference structure. The \"upx -d\" raises this kind of exception of \"CantUnpackException: header corrupted\" at this time and results in preventing from unpacking.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/upx/upx/blob/master/src/stub/src/include/header.S\nhttps://bsodtutorials.wordpress.com/2014/11/14/upx-packing-and-anti-packing-techniques/\nhttps://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\nhttps://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/",
"creation_date": "2022-03-29T23:11:58.387000Z",
"tags": "antiUPX",
"modification_date": "2023-10-04T10:44:35.496000Z",
"category": [
14
],
"rules": [
50
],
"attachments": [],
"featured_api": [],
"contributors": [
18
]
},
{
"id": 175,
"key": "volume-shadow-copy-service-vscvss-deletion",
"unprotect_id": "U0305,T1070.004",
"name": "Volume Shadow Copy Service (VSC,VSS) Deletion",
"description": "Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs. \r\n\r\nOn the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://docs.microsoft.com/ja-jp/windows-server/administration/windows-commands/vssadmin-delete-shadows\nhttps://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\nhttps://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware\nhttps://blog.avast.com/zepto-ransomware-now-introduces-new-features-to-better-encrypt-your-files\nhttp://www.kazamiya.net/DeletedSC\nhttps://github.com/mnrkbys/vss_carver\nhttps://www.shadowexplorer.com/",
"creation_date": "2022-02-24T05:19:24.338000Z",
"tags": "VSC,ShadowCopy,Ransomware",
"modification_date": "2023-10-04T10:42:47.308000Z",
"category": [
8,
10
],
"rules": [
33,
34,
37,
56,
63
],
"attachments": [],
"featured_api": [],
"contributors": [
18
]
},
{
"id": 174,
"key": "user-interaction-are-you-human",
"unprotect_id": "U1339,E1204",
"name": "User Interaction (Are you human?)",
"description": "You can get an advantage against sandboxes by using user interaction techniques. For example, The average user has a username and password and as long as the user you are targeting does not enter their password correctly, you can prevent your malware execution and bypass the possible sandbox control.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/hlldz/pickl3",
"creation_date": "2021-07-27T13:07:49.117000Z",
"tags": "",
"modification_date": "2023-10-04T10:42:17.582000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 173,
"key": "access-token-manipulation-parent-pid-spoofing",
"unprotect_id": "U1234,T1134.004",
"name": "Access Token Manipulation: Parent PID Spoofing",
"description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. \r\n\r\nOne way of explicitly assigning the PPID of a new process is via the `CreateProcess` API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.\r\n\r\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment. This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.\r\n\r\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/hlldz/APC-PPID\nhttps://attack.mitre.org/techniques/T1134/004/",
"creation_date": "2021-07-27T13:05:01.292000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nparent process identifier (PPID),\r\nevade process-monitoring defenses,\r\nCreateProcess API call,\r\nUser Account Control (UAC),\r\ninherited access token,",
"modification_date": "2023-10-04T10:42:20.837000Z",
"category": [
4,
10
],
"rules": [
88
],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
21,
22,
24,
26,
27,
28,
365
],
"contributors": []
},
{
"id": 172,
"key": "killing-windows-event-log",
"unprotect_id": "U0304",
"name": "Killing Windows Event Log",
"description": "Killing the Windows Event Log is a technique used by malware to prevent security professionals from detecting and analyzing it. Svchost.exe is a process that manages services on Windows operating systems. \r\n\r\nBy grouping multiple services into a single process, Svchost.exe conserves computing resources and reduces resource consumption. However, this also means that Svchost.exe manages the Event Log service, which is responsible for collecting logs on the system. \r\n\r\nBy targeting the Event Log service and killing the threads responsible for it, malware can prevent the system from collecting logs, making it more difficult for security professionals to detect and analyze the malware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/hlldz/Phant0m",
"creation_date": "2021-07-27T13:03:31.911000Z",
"tags": "Windows Event Log,\r\nAnti-forensic,\r\nSvchost.exe,\r\nServices,\r\nProcess,\r\nEvent Log service,\r\nThreads,",
"modification_date": "2023-10-04T10:43:11.626000Z",
"category": [
8
],
"rules": [
11
],
"attachments": [],
"featured_api": [
18,
24,
28,
29,
30,
412,
425
],
"contributors": []
},
{
"id": 171,
"key": "process-ghosting",
"unprotect_id": "U1232",
"name": "Process Ghosting",
"description": "Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded. \r\n\r\nWindows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with `FILE_WRITE_DATA` (to modify it) will fail with `ERROR_SHARING_VIOLATION`. Deletion attempts via `FILE_DELETE_ON_CLOSE`/`FILE_FLAG_DELETE_ON_CLOSE` fail with `ERROR_SHARING_VIOLATION`. `NtSetInformationFile`(`FileDispositionInformation`) requires the `DELETE` access right. Even though the `DELETE` access right is granted to files mapped to image sections, `NtSetInformationFile`(`FileDispositionInformation`) fails with `STATUS_CANNOT_DELETE`. Deletion attempts via `FILE_SUPERCEDE`/`CREATE_ALWAYS` fail with `ACCESS_DENIED`. \r\n\r\nAn important note, however, is that this deletion restriction only comes into effect once the executable is mapped into an image section. This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section. This is Process Ghosting.\r\n\r\nThe attack flow is:\r\n\r\n1. Create a file\r\n2. Put the file into a delete-pending state using `NtSetInformationFile`(FileDispositionInformation). Note: Attempting to use `FILE_DELETE_ON_CLOSE` instead will not delete the file.\r\n3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.\r\n4. Create an image section for the file.\r\n5. Close the delete-pending handle, deleting the file.\r\n6. Create a process using the image section.\r\n7. Assign process arguments and environment variables.\r\n8. Create a thread to execute in the process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack",
"creation_date": "2021-06-16T11:50:05Z",
"tags": "",
"modification_date": "2023-10-04T10:44:44.110000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 170,
"key": "process-herpaderping",
"unprotect_id": "U1231",
"name": "Process Herpaderping",
"description": "Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.\r\n\r\nTo abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of the target file and provide it to the OS to use for process creation. The OS kindly maps the original binary for us. Using the existing file handle, and before creating the initial thread, we modify the target file content to obscure or fake the file backing the image. Sometime later, we create the initial thread to begin the execution of the original binary. Finally, we will close the target file handle. Let's walk through this step-by-step:\r\n\r\n1. Write target binary to disk, keeping the handle open. This is what will execute in memory.\r\n2. Map the file as an image section `NtCreateSection, SEC_IMAGE`.\r\n3. Create the process object using the section handle `NtCreateProcessEx`.\r\n4. Using the same target file handle, obscure the file on disk.\r\n5. Create the initial thread in the process `NtCreateThreadEx`.\r\n * At this point, the process creation callback in the kernel will fire. The contents on the disk do not match what was mapped. Inspection of the file at this point will result in incorrect attribution.\r\n6. Close the handle. `IRP_MJ_CLEANUP` will occur here.\r\n * Since we've hidden the contents of what is executing, inspection at this point will result in incorrect attribution.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/jxy-s/herpaderping",
"creation_date": "2021-06-16T11:45:24Z",
"tags": "",
"modification_date": "2023-10-04T10:42:52.190000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
13,
357
],
"contributors": []
},
{
"id": 169,
"key": "localsize0",
"unprotect_id": "U0128",
"name": "LocalSize(0)",
"description": "The function `LocalSize` retrieves the current size of the specified local memory object, in bytes. By setting the `hMem` parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-localsize",
"creation_date": "2021-04-29T08:15:47Z",
"tags": "localsize",
"modification_date": "2023-10-04T10:42:33.492000Z",
"category": [
3
],
"rules": [
39,
81
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 168,
"key": "detecting-online-sandbox",
"unprotect_id": "U1338",
"name": "Detecting Online Sandbox",
"description": "Online sandbox has become very popular for malware analysis. Several malware authors employ such techniques to avoid detection and analysis. Some of these techniques will be summarized here.\r\n\r\n* Any.Run uses a fake root certificate to spy on sandbox traffic. The first information about the system can be obtained by querying the information of the root certificate. In addition, the QEMU Agent is modified and used to monitor the applications running in the virtual machine allowing the sandbox to do API hooking and monitor the analyzed process. If a process name such as \"srvpost.exe\" is running and the \"winanr.dll\", \"winsanr.dll\" libraries are loaded, it is possible to detect the Any.Run agent.\r\n\r\n* Any.Run offers many packages to their users. And in addition to the features they are offering in these packages, they also determine the maximum number of minutes for active analysis. For example, you can analyze a file for 5 minutes by default with the Searcher package, that you pay 90 dollars to acquire, and you can make this time a maximum of 10 minutes by adding time in interactive mode. The sechost.dll in the agent contains and transmits the timing metrics of ANY.RUN. When we suspend this thread, Any.Run stops its counter and the analysis continues until it drops to timeout.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://malwation.com/offensive-approach-to-online-sandboxes-1-any-run/\nhttps://gist.github.com/kaganisildak/4ff8adcaba2521a28a7029d61c265d16\nhttps://app.any.run/tasks/5bff31df-4688-41b1-a73a-d15d30e7ac54/\nhttps://app.any.run/",
"creation_date": "2021-03-10T14:32:11Z",
"tags": "",
"modification_date": "2023-10-04T10:44:43.778000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
18,
22,
24,
26,
27,
28,
29,
30,
317,
320,
412,
425
],
"contributors": []
},
{
"id": 167,
"key": "file-melt",
"unprotect_id": "U1007",
"name": "File Melt",
"description": "File melting is a technique that malware uses to delete itself after it has been installed on a system. This is often done in order to avoid detection by antivirus programs or other security measures. The process of file melting involves overwriting the file with random data, making it impossible to recover the original file or to detect the presence of the malware. \r\n\r\nThis technique is often used in combination with other tactics, such as hiding the infected file in a remote location or using encryption to make it difficult to access.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2021-02-20T19:02:54Z",
"tags": "File melting,\r\nFile deletion,\r\nOverwriting,\r\nRandom data,\r\nRecovery,\r\nEncryption,\r\nHiding,\r\nRemove trace,",
"modification_date": "2022-12-13T22:56:23.230000Z",
"category": [
14
],
"rules": [
51,
91
],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
11,
12,
425
],
"contributors": []
},
{
"id": 166,
"key": "execution-guardrails-environmental-keying",
"unprotect_id": "T1480.001",
"name": "Execution Guardrails: Environmental Keying",
"description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.\r\n\r\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\r\n\r\nSimilar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\r\n\r\nLike other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1480/001/",
"creation_date": "2020-11-15T09:35:38Z",
"tags": "Defense Evasion.\r\ncryptography,\r\nconstrain execution,\r\nderiving encryption/decryption keys,\r\nencrypted payloads,\r\nAPT41,\r\nData Protection API",
"modification_date": "2023-10-04T10:44:56.962000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 165,
"key": "indicator-removal-timestomp",
"unprotect_id": "U0303, T1070.006",
"name": "Indicator Removal: Timestomp",
"description": "Timestomping is a technique used by adversaries to modify the timestamps of a file, such as the modify, access, create, and change times. This technique is often used to hide the fact that a file has been modified or created by the adversary, making it more difficult for forensic investigators or file analysis tools to detect the changes. \r\n\r\nBy modifying the timestamps of a file, the adversary can make it appear as if the file has been present on the system for a longer period of time, or that it was last accessed or modified at a different time than it actually was. This can help the adversary avoid detection and continue operating on a compromised system without being detected.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1070/006/",
"creation_date": "2020-11-13T20:27:25Z",
"tags": "Timestomping,\r\nTimestamp manipulation,\r\nChange times,\r\nForensic investigators,\r\nFile analysis tools,\r\nAPT28,\r\nAPT29,\r\nAPT32,\r\nAPT38,",
"modification_date": "2023-10-04T10:44:15.174000Z",
"category": [
8,
10
],
"rules": [
90
],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 164,
"key": "debug-registers-hardware-breakpoints",
"unprotect_id": "U0127, B0001.005",
"name": "Debug Registers, Hardware Breakpoints",
"description": "Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getcurrentthread\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registers-window",
"creation_date": "2020-11-13T14:16:40Z",
"tags": "DR0",
"modification_date": "2023-10-04T10:42:28.818000Z",
"category": [
3
],
"rules": [
10
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 163,
"key": "anti-yara-rules",
"unprotect_id": "U1001",
"name": "Anti Yara Rules",
"description": "Yara rules are used by malware researchers to identify and classify malware based on specific characteristics and behaviors. These rules are powerful because they allow researchers to quickly and accurately detect malware, even if it has been modified to avoid detection. However, attackers can also modify their malware to avoid detection by Yara rules. \r\n\r\nThis is often seen with ransomware, where attackers will update the content of their ransom notes in an attempt to evade detection. By constantly modifying their malware, attackers can make it more difficult for researchers to track and detect their malware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/Yara-Rules/rules",
"creation_date": "2020-11-10T08:08:48Z",
"tags": "Yara rules,\r\ntracking,\r\ndetection evasion,\r\nransomware notes,\r\nmalware classification,\r\nmalware characteristics,\r\nmalware behaviors,",
"modification_date": "2023-10-04T10:42:42.729000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 162,
"key": "breaking-badder",
"unprotect_id": "U1201",
"name": "Breaking BaDDEr",
"description": "Dynamic Data Exchange (DDE) is a protocol that allows applications to share data with each other. The Dynamic Data Exchange Management Library (DDEML) is a set of functions that facilitate data sharing using the DDE protocol. DDE and DDEML are commonly used in Microsoft Office to enable data to be shared between applications. In October 2017, a vulnerability was discovered in Microsoft Office that could be exploited using DDE to execute arbitrary code. Since then, DDE has been disabled by default in Microsoft Office and is no longer considered a critical component. \r\n\r\nThis injection method is limited to the explorer.exe process, which is the process that handles graphical user interface (GUI) elements in the Windows operating system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://modexp.wordpress.com/2019/08/09/windows-process-injection-breaking-badder/",
"creation_date": "2020-10-26T07:41:58Z",
"tags": "Data sharing protocol,\r\nData sharing library,\r\nDDE protocol,\r\nCode execution,",
"modification_date": "2023-10-04T10:42:33.135000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24,
357
],
"contributors": []
},
{
"id": 161,
"key": "dns-api-injection",
"unprotect_id": "U1202",
"name": "DNS API Injection",
"description": "DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code into the DNS API, the malware can manipulate DNS requests and responses, potentially redirecting traffic to malicious domains or hiding its own DNS requests from being logged or detected.\r\n\r\nTo carry out DNS API injection, the malware must first locate the address of the dnsapi.dll library in the host system's memory and find the address of the exported `DnsApiHeapReset` function. By parsing the code of this function, the malware can discover the addresses of various callback functions that are used to process DNS requests and responses. The malware can then use the `WriteProcessMemory` function to modify these callbacks, allowing it to intercept and manipulate DNS requests made by the host system.\r\n\r\nSysmon v10, a system monitoring tool, includes a feature that logs DNS queries and maps them to the process name making the request. This can help detect DNS API injection by showing any suspicious or unexpected DNS requests being made by processes on the host system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://modexp.wordpress.com/2019/08/08/windows-process-injection-dnsapi/\nhttp://www.hexacorn.com/blog/2019/06/12/code-execution-via-surgical-callback-overwrites-e-g-dns-memory-functions/",
"creation_date": "2020-10-26T07:38:31Z",
"tags": "Overwriting DNS memory functions,\r\nLogging DNS queries,\r\nIntercepting DNS requests,\r\nHiding DNS requests,\r\ndnsapi.dll,\r\nDnsApiHeapReset,",
"modification_date": "2023-10-04T10:44:49.979000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24,
357,
413
],
"contributors": []
},
{
"id": 160,
"key": "clipbrdwndclass",
"unprotect_id": "U1203",
"name": "CLIPBRDWNDCLASS",
"description": "CLIPBRDWNDCLASS is a window class that is registered by the Object Linking & Embedding (OLE) library (ole32.dll) to handle clipboard data. When a window of this class is created, it is assigned a number of window properties that store the addresses of various interfaces that are used to process clipboard data. These interfaces include the `ClipboardDataObjectInterface`, `ClipboardRootDataObjectInterface`, and `ClipboardDataObjectInterfaceMTA`.\r\n\r\nOne of these interfaces, the `ClipboardDataObjectInterface`, can be leveraged for code injection. If this interface is set to the address of an IUnknown interface and the clipboard window procedure receives a WM_DESTROYCLIPBOARD message, it will invoke the Release method of the IUnknown interface. This can potentially allow malware to inject code into the host system by manipulating the clipboard data and causing the Release method to be called.\r\n\r\nIt is important to note that the CLIPBRDWNDCLASS window class and the interfaces it uses are private to the OLE library, and are not intended for use by external programs.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://modexp.wordpress.com/2019/05/24/4066/",
"creation_date": "2020-10-13T17:24:15Z",
"tags": "Object Linking & Embedding (OLE) library,\r\nPrivate clipboard\r\nCLIPBRDWNDCLASS window class,\r\nOLE library,\r\nClipboard data,\r\nClipboardDataObjectInterface,\r\nClipboardRootDataObjectInterface,\r\nClipboardDataObjectInterfaceMTA,",
"modification_date": "2023-10-04T10:43:33.129000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24
],
"contributors": []
},
{
"id": 158,
"key": "wordwarping",
"unprotect_id": "U1204",
"name": "WordWarping",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping.\r\n\r\nThe `EditWordBreakProc` callback function is called anytime the control needs to perform an operation related to word wrapping. This function can be modified for any window by sending the EM_SETWORDBREAKPROC message to the window. If the window is an edit control or a descendant of an edit control, modifying the `EditWordBreakProc` callback function can cause unexpected behavior.\r\n\r\nOne way to trigger the execution of the `EditWordBreakProc` callback function is to simulate keyboard input using the `SendInput` or `PostMessage` APIs. These APIs allow a program to send input events, such as keystrokes or mouse movements, to a window or application as if they were being generated by a user. If the input events are directed at an edit control or a descendant of an edit control, they may cause the `EditWordBreakProc` callback function to be called.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2020-10-13T17:21:36Z",
"tags": "Rich Edit controls,\r\nWindows controls,\r\nMultiline mode,\r\nEditWordBreakProc callback function,\r\nWord wrapping,\r\nEM_SETWORDBREAKPROC message,",
"modification_date": "2023-10-04T10:39:35.737000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24
],
"contributors": []
},
{
"id": 157,
"key": "editwordbreakproc",
"unprotect_id": "U1229",
"name": "EditWordBreakProc",
"description": "Edit controls, including Rich Edit controls, are a common type of Windows control found in many applications. They can be embedded directly in the application or as subclassed windows. \r\n\r\nWhen these controls display text in multiline mode, they use a callback function called `EditWordBreakProc`. This function is called every time the control needs to do something related to word wrapping. \r\n\r\nAdditionally, when a Rich Edit control receives the `EM_STREAMIN` message, it uses the information provided in an `EDITSTREAM` structure to transfer data into or out of the control. The `pfnCallback` field of this structure can be used to point to a payload in memory, allowing for the injection of malicious code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-13T17:19:34Z",
"tags": "Edit controls, Rich Edit controls, Windows control, multiline mode, EditWordBreakProc callback function, word wrapping, EM_STREAMIN message, EDITSTREAM structure, pfnCallback field,",
"modification_date": "2023-10-04T10:44:38.818000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24
],
"contributors": []
},
{
"id": 156,
"key": "oleum",
"unprotect_id": "U1206",
"name": "OLEUM",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping.\r\n\r\nThe EditWordBreakProc callback function is called anytime the control needs to perform an operation related to word wrapping. In some cases, it may be possible to manipulate this callback function to achieve a desired effect, such as injecting code into the host system.\r\n\r\nOne method that has been used to manipulate the EditWordBreakProc callback function is to send the EM_GETOLECALLBACK message to the edit control window using the SendMessage function. This message is not well documented and can cause the rich edit window to crash if the LPARAM parameter does not point to locally accessible memory. Additionally, the EM_GETOLECALLBACK message does not return a pointer to the IRichEditOleCallback interface as expected, but rather to the IRichEditOle interface. As a result, the EM_SETOLECALLBACK message cannot be used to modify the callback function.\r\n\r\nInstead, it may be possible to modify the IRichEditOle.lpVtbl heap memory, which holds a table of methods that can be called on the IRichEditOle interface. By overwriting the address of one of these methods with the address of the payload, it may be possible to execute the payload when the method is called. In this case, the payload is the GetClipboardData function. It is important to note that manipulating the EditWordBreakProc callback function and modifying heap memory in this way is likely to be detected by security systems and may result in the host system being compromised.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-13T17:17:35Z",
"tags": "Rich Edit controls,\r\nEditWordBreakProc callback,\r\nWord wrapping,\r\nEM_GETOLECALLBACK message,\r\nSendMessage function,\r\nLPARAM parameter,\r\nLocally accessible memory,\r\nIRichEditOleCallback interface,",
"modification_date": "2023-10-04T10:44:00.867000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24,
229,
357
],
"contributors": []
},
{
"id": 155,
"key": "listplanting",
"unprotect_id": "U1207",
"name": "Listplanting",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window.\r\n\r\nEdit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping. This callback function is called anytime the control needs to perform an operation related to word wrapping.\r\n\r\nIn addition to the EditWordBreakProc callback function, the ListView control, which is a common GUI element used to display lists of items, can also be customized using certain messages. The LVM_SORTGROUPS message allows the user to specify a callback function that is used to sort the groups in a ListView control. The LVM_INSERTGROUPSORTED message inserts a new group into a ListView control, using the callback function specified in the LVM_SORTGROUPS message to determine the proper position for the new group. The LVM_SORTITEMS message allows the user to specify a callback function that is used to sort the items in a ListView control.\r\n\r\nUsing these messages and callback functions, it is possible to customize the sorting of items and groups in a ListView control to meet the specific needs of an application.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-06T05:48:52Z",
"tags": "Rich Edit controls,\r\nWindows controls,\r\nMultiline mode,\r\nEditWordBreakProc callback,\r\nWord wrapping,\r\nListView control,\r\nGUI element,\r\nDisplay lists of items,\r\nLVM_SORTGROUPS message,\r\nCallback function,",
"modification_date": "2023-10-04T10:42:33.290000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24
],
"contributors": []
},
{
"id": 154,
"key": "treepoline",
"unprotect_id": "U1208",
"name": "Treepoline",
"description": "Tree-view controls are a type of user interface element that is used to display hierarchical data in a graphical user interface (GUI). They are commonly used in Windows applications and allow users to navigate and explore complex data structures.\r\n\r\nTo display its content, a tree-view control must sort the items it shows. The sorting routine for a tree-view control can be controlled and modified using a TVSORTCB structure, which includes a field called lpfnCompare that points to a callback function. This callback function is called anytime a comparison between tree elements is required.\r\n\r\nBy sending a TVM_SORTCHILDRENCB message to a tree-view control, it is possible to specify the callback function that should be used to sort the tree-view's elements. When the tree-view control executes the specified callback function, it is possible to execute arbitrary code or perform other actions. This technique can be used to compromise the host system or cause harm in other ways. It is important to note that manipulating the callback function in this way is likely to be detected by security systems and may result in the host system being compromised.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.hexacorn.com/blog/2019/04/24/treepoline-new-code-injection-technique/\nhttps://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-06T05:46:01Z",
"tags": "Tree-view controls,\r\nUser interface element,\r\nHierarchical data,\r\nGraphical user interface (GUI),\r\nWindows applications,\r\nData structures,\r\nItem sorting,\r\nTVSORTCB structure,\r\nlpfnCompare field,",
"modification_date": "2023-10-04T10:44:01.256000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24
],
"contributors": []
},
{
"id": 153,
"key": "consolewindowclass",
"unprotect_id": "U1209",
"name": "ConsoleWindowClass",
"description": "One method that has been used to achieve process injection is by manipulating the User Data of a window object.\r\n\r\nThe User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the `SetWindowLongPtr` API and the GWLP_USERDATA parameter. In the case of the Console Window Host (conhost) process, the User Data of a window is used to store the address of a data structure that contains information about the window's position, dimensions, and object handle, as well as a class object with methods to control the behavior of the console window.\r\n\r\nBy manipulating the User Data of a window object, it may be possible to execute arbitrary code in the context of the process associated with that window.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
"creation_date": "2020-10-05T12:31:17Z",
"tags": "Arbitrary code execution,\r\nContext of another process,\r\nSetWindowLongPtr API,\r\nGWLP_USERDATA parameter,\r\nUser Data of a window,",
"modification_date": "2023-10-04T10:42:33.648000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24,
357
],
"contributors": []
},
{
"id": 152,
"key": "bypass-user-account-control",
"unprotect_id": "T1548.002",
"name": "Bypass User Account Control",
"description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\r\n\r\nThe impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1548/002/",
"creation_date": "2020-10-05T06:30:46Z",
"tags": "Defense Evasion,\r\nbypass UAC controls,\r\nMITRE,\r\nprivilege elevation,",
"modification_date": "2023-10-04T10:44:59.068000Z",
"category": [
10
],
"rules": [
24,
38
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 151,
"key": "getforegroundwindow",
"unprotect_id": "U1301",
"name": "GetForegroundWindow",
"description": "This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.\r\n\r\nIt accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by another call to GetForegroundWindow. If the foreground window has not changed, the malware assumes it is in a sandbox or analysis virtual machine and will continue this loop until the foreground window changes. If there is no change, the program will loop indefinitely or may make a call to ExitProcess.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://archive.f-secure.com/weblog/archives/00002810.html",
"creation_date": "2020-10-01T11:39:03Z",
"tags": "GetForegroundWindow",
"modification_date": "2023-10-04T10:42:43.425000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 150,
"key": "thermal-zone-temperature",
"unprotect_id": "U1302",
"name": "Thermal Zone Temperature",
"description": "The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: \"25.05 C: 77.09 F: 298.2K\". But for a fully virtualized environment, the return is \"MSAcpi_ThermalZoneTemperature not supported\" because this feature is not supported on virtualized processors.\r\n\r\nInterestingly, this method is not valid. Not all Windows machines will support this method due to incompatibility with thermal zone sensors. It is a BIOS function. Sometimes the BIOS manufacturer provides dlls that can be referenced to call the required function and return the details.\r\n\r\nMany malware authors use it to detect virtual machines, but it frequently fails due to lack of vendor support.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://medium.com/@DebugActiveProcess/anti-vm-techniques-with-msacpi-thermalzonetemperature-32cfeecda802\nhttps://social.msdn.microsoft.com/Forums/en-US/19520825-b1fc-4778-8704-c492124bc029/getting-cpu-temp?forum=vblanguage",
"creation_date": "2020-09-26T10:02:04Z",
"tags": "thermal, temperature",
"modification_date": "2023-10-04T10:43:53.612000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 149,
"key": "checking-malware-name",
"unprotect_id": "U1303,U0401",
"name": "Checking Malware Name",
"description": "Malware can use various techniques to evade detection by security analysts and researchers. One such technique is to check the name of the malware sample before fully executing on the infected machine. If the sample has been renamed to a blacklisted name, such as \"malware.exe\" or \"sample.exe\", or even with the file hash, the malware can detect this and change its behavior or terminate its process to avoid being detected and analyzed. This technique allows the malware to remain undetected and continue its malicious activities on the infected machine.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2020-09-22T06:49:06Z",
"tags": "malware,\r\nsample,\r\nblacklisted names,\r\nprocess,\r\nfile hash,",
"modification_date": "2023-10-04T10:40:12.913000Z",
"category": [
1,
6
],
"rules": [
129
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 148,
"key": "rdtscp",
"unprotect_id": "U1304",
"name": "RDTSCP",
"description": "Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen). \r\n\r\nThis instruction can be used to calculate the delta of the timestamp counter in the same way as RDTSC and thus detect whether the program is being debugged, emulated or executed in a virtual environment.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.hexacorn.com/blog/2014/06/15/rdtscp-a-recooked-antire-trick/",
"creation_date": "2020-09-14T07:32:36Z",
"tags": "RDTSCP",
"modification_date": "2023-10-04T10:42:43.229000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 147,
"key": "api-hammering",
"unprotect_id": "U1305, B0003.012",
"name": "API Hammering",
"description": "API hammering is a technique used to delay sandbox analysis and thus avoid malware capability analysis reporting. This technique consists of calling a large amount of benign APIs like \"printf\" in a loop.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.joesecurity.org/blog/3660886847485093803",
"creation_date": "2020-09-10T14:39:31Z",
"tags": "hammering",
"modification_date": "2024-11-18T09:42:22.286348Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
46
]
},
{
"id": 146,
"key": "process-reimaging",
"unprotect_id": "U1210",
"name": "Process Reimaging",
"description": "Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.\r\n\r\nThe Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of endpoint security solutions, such as Microsoft Defender Realtime Protection, to accurately detect the correct binaries loaded in malicious processes. This inconsistency can be exploited using the Process Reimaging technique, which does not require code injection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass.html",
"creation_date": "2020-05-08T09:26:00Z",
"tags": "Process Reimaging,\r\nDetection evasion,\r\nEndpoint security solutions,\r\nProcess Hollowing,\r\nProcess Doppelganging,\r\nMitre Attack Defense Evasion Category,\r\nCode injection,",
"modification_date": "2023-10-04T10:43:54.431000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 145,
"key": "malvertising",
"unprotect_id": "U1002",
"name": "Malvertising",
"description": "Malvertising is a type of cyber attack that involves using online advertising as a means to spread malware. This is attractive to attackers because it allows them to easily reach a large number of users without having to directly compromise the websites hosting the ads. The ads themselves can be inserted into reputable and high-profile websites, which can help attackers bypass network security measures and reach users who may not be as vigilant about protecting themselves online. \r\n\r\nBy using malvertising, attackers can exploit the trust that users have in the websites they visit and the ads they see, making it an effective and stealthy way to spread malware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.imperva.com/learn/application-security/malvertising/",
"creation_date": "2019-04-23T12:35:33Z",
"tags": "malvertising,\r\nonline advertising,\r\nhigh-profile websites,\r\ntrust in websites,",
"modification_date": "2023-10-04T10:43:44.639000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 144,
"key": "c2-via-social-networks",
"unprotect_id": "U0901",
"name": "C2 via Social Networks",
"description": "Malware often relies on a communication channel with its operator in order to receive instructions and updates. This channel is known as a command and control (C&C or C2) channel. C&C channels can take various forms, such as internet relay chat (IRC), peer-to-peer protocols, and even social media. The use of C&C channels allows the operator to remotely control the malware and direct its actions.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://zeltser.com/bots-command-and-control-via-social-media/",
"creation_date": "2019-04-23T12:32:22Z",
"tags": "Command and control (C&C),\r\nCommunication channel,\r\nOperator,\r\nInternet relay chat (IRC),\r\nPeer-to-peer protocols,\r\nSocial media,",
"modification_date": "2023-10-04T10:42:48.003000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 143,
"key": "peer-to-peer-c2",
"unprotect_id": "U0902",
"name": "Peer to peer C2",
"description": "Peer-to-peer (P2P) botnets are a type of botnet that uses a decentralized network structure, without a central command and control (C&C) server. Each infected machine in a P2P botnet maintains a list of other trusted computers (including other infected machines), as well as information drop locations and locations where the malware can be updated. Some P2P botnets also use encryption to conceal their communications.\r\n\r\nThe decentralized nature of P2P botnets makes it harder for security researchers to track and disrupt their activities. Without a central C&C server, it is more difficult for investigators to take down the entire network by targeting a single infected machine. Additionally, the use of encryption can hinder analysis of the botnet's communications. However, this decentralized structure also makes it more difficult for the operator to control the botnet and issue commands to the infected machines.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.malwaretech.com/2013/12/peer-to-peer-botnets-for-beginners.html",
"creation_date": "2019-04-23T12:31:10Z",
"tags": "Peer-to-peer (P2P) botnets,\r\nDecentralized network,\r\nCommand and control (C&C),\r\nCentralized structure,\r\nBotnet operator,",
"modification_date": "2023-10-04T10:43:29.377000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 142,
"key": "tor-network-c2",
"unprotect_id": "U0903",
"name": "Tor Network C2",
"description": "Tor is a free and open-source network that enables anonymous communication. It uses a network of volunteer-operated servers, known as \"relays,\" to route internet traffic in a way that conceals the user's location and usage from surveillance and traffic analysis. By routing traffic through multiple relays, Tor makes it difficult to trace internet activity back to the user.\r\n\r\nMalware can use the Tor network to communicate with a command and control (C&C) server in a way that is harder to detect. Ransomware often uses Tor to host the payment page and even data leak pages. By using the anonymity provided by Tor, the attackers can make it more difficult for authorities to track them down and shut down their operations.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-04-23T12:25:04Z",
"tags": "Tor,\r\nAnonymous communication,\r\nInternet traffic,\r\nVolunteer overlay network,\r\nCommand and control (C&C),",
"modification_date": "2023-10-04T10:39:37.409000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
