HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": "https://unprotect.it/api/techniques/?format=api&page=7",
"previous": "https://unprotect.it/api/techniques/?format=api&page=5",
"results": [
{
"id": 141,
"key": "dns-hijacking",
"unprotect_id": "U0904, E1643.m01",
"name": "DNS Hijacking",
"description": "DNS hijacking or DNS redirection is a technique used to subvert the normal domain name resolution process. It involves redirecting DNS queries to a rogue DNS server controlled by an attacker, or modifying the behavior of a trusted DNS server so that it does not comply with internet standards. This can be done for various purposes, such as phishing attacks, censorship, or for the self-serving purposes of internet service providers (ISPs) and DNS service providers.\r\n\r\nDNS hijacking can be carried out by malware that modifies a computer's TCP/IP configuration to point to a rogue DNS server. This allows the attacker to redirect the user's internet traffic to malicious websites or to block access to certain websites. It can also be used by ISPs and DNS service providers to redirect users to their own web servers for advertising or other purposes.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://en.wikipedia.org/wiki/DNS_hijacking",
"creation_date": "2019-04-23T12:20:47Z",
"tags": "DNS hijacking,\r\nDNS redirection,\r\nDomain name system (DNS),\r\nRogue DNS server,\r\nTrusted DNS server,",
"modification_date": "2023-10-04T10:44:26.656000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 140,
"key": "dns-tunneling",
"unprotect_id": "U0905, T1048.003",
"name": "DNS Tunneling",
"description": "DNS tunneling is a technique that uses the Domain Name System (DNS) protocol to transfer data in an encrypted and covert manner. It involves encoding the data of other programs or protocols in DNS queries and responses, and using DNS servers as a means of communication.\r\n\r\nTo carry out DNS tunneling, the attacker typically needs access to a compromised system with external network connectivity and an internal DNS server with network access. The attacker also needs to control a domain and a server that can act as an authoritative DNS server in order to execute the server-side tunneling and data payload programs.\r\n\r\nDNS tunneling can be used for various purposes, such as to control remote servers and applications, transfer data, or bypass firewall restrictions. It can be difficult to detect, as the DNS protocol is commonly used for legitimate purposes and is typically not heavily scrutinized by security systems.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/\nhttps://attack.mitre.org/techniques/T1048/003/",
"creation_date": "2019-04-23T12:18:13Z",
"tags": "DNS tunneling,\r\nDomain Name System (DNS),\r\nData transfer,\r\nEncrypted,\r\nCovert,\r\nExternal network connectivity,\r\nAuthoritative DNS server,\r\nServer-side tunneling,",
"modification_date": "2023-10-04T10:45:00.526000Z",
"category": [
9,
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 138,
"key": "domain-generation-algorithm",
"unprotect_id": "U0906, B0031",
"name": "Domain Generation Algorithm",
"description": "Domain generation algorithms (DGAs) are algorithms used by malware to generate a large number of domain names that can be used as communication channels with their command and control servers. These domain names are generated periodically, typically using a pseudorandom number generator.\r\n\r\nThe use of DGAs makes it difficult for law enforcement and other security actors to shut down botnets, as infected computers will attempt to contact some of these domain names every day to receive updates or commands. The use of public-key cryptography in the malware code also makes it difficult to mimic commands from the malware controllers.\r\n\r\nDGAs are commonly used by malware families such as Zeus, Andromeda, and Necurs to establish communication channels that are hard to detect and disrupt. This allows the malware to receive instructions from the attackers and carry out various malicious activities, such as stealing sensitive information, spreading to other devices, or launching attacks on other systems.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf",
"creation_date": "2019-04-23T12:02:11Z",
"tags": "Domain generation algorithms (DGAs),\r\nDomain names,\r\nCommand and control servers,\r\nRendez-vous points,\r\nBotnets,\r\nZeus,\r\nAndromeda,\r\nNecurs,\r\nCommunication channels,",
"modification_date": "2023-10-04T10:44:26.439000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 137,
"key": "fast-flux",
"unprotect_id": "U0907",
"name": "Fast Flux",
"description": "Fast flux is a technique used by botnets to conceal the location of their phishing and malware delivery sites by using a constantly changing network of compromised hosts as proxies. This makes it difficult for law enforcement and other security actors to track down and shut down the sites, as the IP addresses of the sites are constantly changing.\r\n\r\nFast flux is often used in combination with other techniques, such as peer-to-peer networking, distributed command and control, web-based load balancing, and proxy redirection, to make the botnet more resilient to detection and countermeasures. By using these techniques together, the botnet can maintain a high level of operational security and evade detection by security systems.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://unit42.paloaltonetworks.com/fast-flux-101/",
"creation_date": "2019-04-23T11:54:27Z",
"tags": "Fast flux,\r\nDNS technique,\r\nBotnets,\r\nPhishing,\r\nMalware delivery sites,\r\nCompromised hosts,\r\nProxies,\r\nPeer-to-peer networking,",
"modification_date": "2023-10-04T10:44:37.725000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 136,
"key": "ntfs-files-attributes",
"unprotect_id": "U0501",
"name": "NTFS Files Attributes",
"description": "Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes and Data known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files. \r\n\r\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/",
"creation_date": "2019-03-23T18:30:15Z",
"tags": "ntfs",
"modification_date": "2023-10-04T10:42:32.579000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 135,
"key": "hiding-mechanisms",
"unprotect_id": "U1003",
"name": "Hiding Mechanisms",
"description": "Malware often uses various techniques to hide its presence on a system and avoid detection. One common method is to modify or create entries in the system registry, which is a database of configuration settings for the operating system and installed applications. By modifying these settings, malware can hide itself from security software or other programs that might detect its presence.\r\n\r\nAnother technique is to modify or create critical system files, such as system DLLs or driver files. This can allow the malware to gain access to system resources and remain hidden from security software. Similarly, malware can hide itself in temporary folders or other locations on the system that are not routinely scanned for malicious activity. By using these and other techniques, malware can avoid detection and continue to operate on a compromised system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.cimcor.com/blog/5-places-ransomware-and-malware-can-hide-that-you-may-never-check",
"creation_date": "2019-03-23T18:28:07Z",
"tags": "hide presence,\r\nsystem registry,\r\ncritical system files,\r\ntemporary folders,\r\noperating system,\r\ninstalled applications,",
"modification_date": "2023-10-04T10:42:30.466000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 134,
"key": "wiping-or-encrypting",
"unprotect_id": "U0301",
"name": "Wiping or Encrypting",
"description": "Anti-forensic techniques are methods used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using wiping or encryption techniques to remove its own trace from the system. \r\n\r\n In some cases, malware may use wiping or encryption as a decoy, in order to distract security professionals and hide its true purpose. In other cases, it may use these techniques as part of a sabotage operation, in order to destroy data or cause other damage to the system. \r\n\r\nOverall, wiping and encryption techniques are just one of the many anti-forensic techniques that malware can use to evade detection and cause harm to computer systems.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securingtomorrow.mcafee.com/business/pseudo-ransomware-killdisk-creates-smoke-screen-cybercriminals/",
"creation_date": "2019-03-23T18:25:05Z",
"tags": "Wiping,\r\nEncryption,\r\nAnti-forensic,\r\nSabotage,\r\nEvade detection,",
"modification_date": "2023-10-04T10:44:54.107000Z",
"category": [
8
],
"rules": [
21,
42
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 133,
"key": "indicator-removal-clear-windows-event-logs",
"unprotect_id": "T1070.001,U0302",
"name": "Indicator Removal: Clear Windows Event Logs",
"description": "Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.\r\n\r\nEvent logs can provide valuable information about the actions taken by an attacker during a security breach, including the time and date of the attack, the source of the attack, and any changes made to the system. However, attackers may attempt to delete or clear event logs to conceal their actions and evade detection.\r\n\r\nForensic investigators can look for signs of event log tampering by checking for the presence of event clear ID 1102, which indicates that the audit log has been cleared. This can be an indication that an attacker has attempted to cover their tracks.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://0x00sec.org/t/anti-forensic-and-file-less-malware/10008#221-disabling-event-logging\nhttps://attack.mitre.org/techniques/T1070/001/\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102",
"creation_date": "2019-03-23T18:23:34Z",
"tags": "Defense Evasion\r\nevent, \r\nlog,\r\nwevtutil cl system,\r\nwevtutil cl application,\r\nwevtutil cl security,\r\nwipe logs,\r\nAPT28,\r\nAPT32,\r\nAPT38,\r\nAPT41,",
"modification_date": "2023-10-04T10:44:13.015000Z",
"category": [
8,
10
],
"rules": [
11,
12
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 131,
"key": "kill-process",
"unprotect_id": "U0403",
"name": "Kill Process",
"description": "Malware often employs techniques to evade detection and hinder the efforts of security experts in analyzing its behavior. One notable method involves terminating processes associated with anti-virus software or monitoring tools.\r\n\r\nFor example, malware may specifically target processes like wireshark.exe, ida.exe, or procmon.exe, which are frequently used by analysts to observe and scrutinize running processes on a system. By terminating these processes, malware effectively obstruct security experts from acquiring insight into its operations and impedes their ability to analyze its inner workings.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.bleepingcomputer.com/news/security/coinminer-comes-with-a-process-kill-list-to-keep-competitors-at-bay/",
"creation_date": "2019-03-23T18:09:35Z",
"tags": "Wireshark.exe,\r\nKill process,\r\nIda.exe,\r\nProcmon.exe,\r\nDisrupt,\r\nmonitoring",
"modification_date": "2023-10-04T10:43:58.020000Z",
"category": [
6
],
"rules": [
35,
36,
46
],
"attachments": [],
"featured_api": [
24,
26,
27,
28,
425
],
"contributors": []
},
{
"id": 130,
"key": "opaque-predicate",
"unprotect_id": "U0201,B0032.019",
"name": "Opaque Predicate",
"description": "Opaque predicate is a term used in programming to refer to decision making where there is only one possible outcome. This can be achieved through the use of complex or hard-to-understand logic, such as calculating a value that will always return True. \r\n\r\nOpaque predicates are often used as anti-disassembling techniques, as they can make it difficult for an analyst to understand the code and determine its intent. By using opaque predicates, malware authors can make their code more difficult to reverse engineer, which can help to evade detection and analysis.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/",
"creation_date": "2019-03-23T18:03:47Z",
"tags": "Complex logic, Hard-to-understand code, Single-path decision making, Always-true conditions, Anti-disassembling, Reverse engineering evasion, Malware detection evasion",
"modification_date": "2023-10-04T10:44:19.865000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 129,
"key": "code-transposition",
"unprotect_id": "U0202",
"name": "Code Transposition",
"description": "Code transposition is a technique used by malware authors to evade detection and analysis by rearranging the instructions of a piece of code without changing its behavior. This technique is used to make the code more difficult to read and understand for disassemblers and reverse engineers, as well as to hide the true intent of the code.\r\n\r\nThere are two main methods of implementing code transposition. The first method involves the use of a random number generator to randomly rearrange the instructions of the code. This makes it difficult for analysts to determine the original order of the instructions, and can make the code difficult to follow and understand.\r\n\r\nThe second method of code transposition involves the use of a mathematical function to rearrange the instructions in a predictable and consistent manner. This allows the code to be easily transposed back to its original form if necessary, but still makes it difficult for analysts to follow and understand the code.\r\n\r\nOverall, code transposition is a technique used by malware authors to make their code more difficult to analyze and understand, and to evade detection by security tools and analysts.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://sensorstechforum.com/advanced-obfuscation-techniques-malware/",
"creation_date": "2019-03-23T18:01:30Z",
"tags": "Instruction reordering, Anti-disassembling, Obfuscation, Code rearrangement, Random number generator, Mathematical function, Code complexity",
"modification_date": "2023-10-04T10:44:38.164000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 128,
"key": "register-reassignment",
"unprotect_id": "U0203",
"name": "Register Reassignment",
"description": "Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments may not be immediately apparent or may change over time.\r\n\r\nThis technique is often used in malware to evade detection and analysis by security tools, as it can make the code more complex and less predictable. By switching registers in different versions of the code, the malware can evade signature-based detection techniques and make it more difficult for analysts to understand and analyze the code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://sensorstechforum.com/advanced-obfuscation-techniques-malware/",
"creation_date": "2019-03-23T18:00:09Z",
"tags": "Code obfuscation, Register modification, Code complexity, Signature evasion",
"modification_date": "2023-10-04T10:42:32.974000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 127,
"key": "inserting-garbage-bytes",
"unprotect_id": "U0204, B0032.007",
"name": "Inserting Garbage Bytes",
"description": "Garbage bytes are random or meaningless data that is inserted into a program's code in order to make reverse engineering and analysis more difficult. This is an anti-disassembling technique, as the insertion of these random bytes can cause disassemblers to misinterpret the code and produce incorrect disassembly results.\r\n\r\nThe insertion of garbage bytes is usually used in conjunction with other techniques, such as code transposition or register reassignment. This can make the code even harder to analyze and understand, as the disassembler will not only have to deal with the incorrect disassembly caused by the garbage bytes, but also with the other obfuscation techniques that are being used.\r\n\r\nThe goal of this technique is to make it more difficult for a reverse engineer or disassembler to understand the code's behavior and intentions. By inserting random or meaningless data into the code, the disassembler will be unable to accurately reconstruct the original program, making it harder to analyze and understand.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/static-analysis-of-artefacts-toolset.pdf",
"creation_date": "2019-03-23T17:52:32Z",
"tags": "Random data, Meaningless data,\r\nCode obfuscation,\r\nCode transposition,\r\nRegister reassignment,\r\nCode confusion,\r\nObfuscated code,",
"modification_date": "2023-10-04T10:42:53.166000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 126,
"key": "call-trick",
"unprotect_id": "U0205",
"name": "Call Trick",
"description": "The call trick is an anti-disassembling technique that involves modifying the default function's return address. This can be used in conjunction with other techniques, such as the insertion of garbage bytes, to break disassemblers. Disassemblers that use recursive traversal or linear sweep may be particularly vulnerable to this trick, as they may be unable to accurately interpret the next instruction after the call, making them susceptible to other anti-disassembly techniques.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_WP.pdf",
"creation_date": "2019-03-23T17:49:41Z",
"tags": "Call trick, Return address modification, Anti-disassembling, Garbage bytes, Disassembler evasion, Function call interception,\r\nRecursive traversal disassembly,\r\nLinear sweep disassembly,",
"modification_date": "2023-10-04T10:44:42.438000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 125,
"key": "nop-sled",
"unprotect_id": "U0206",
"name": "NOP Sled",
"description": "In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will \"slide\" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution when the target of a branch instruction is not known precisely.\r\n\r\nFor example, suppose an attacker has found a buffer overflow vulnerability in a program and wants to exploit it to execute arbitrary code. They might insert a NOP slide at the start of the buffer, followed by the code they want to execute. When the program overflows the buffer and branches to the start of the buffer, it will slide through the NOP instructions until it reaches the attacker's code, which will then be executed.\r\n\r\nThe NOP slide technique can be used in conjunction with shellcode to create more effective exploits. Shellcode is a small piece of code that is used as the payload in a software exploit. It typically contains the instructions needed to perform a specific action, such as spawning a shell, creating a network connection, or injecting code into another process.\r\n\r\nTo use a NOP slide with shellcode, the attacker would first insert a NOP sequence at the start of the code section they are targeting. They would then insert their shellcode after the NOP sequence, so that it is located at the final, desired destination. When the program branches to the start of the code section, it will slide through the NOP instructions until it reaches the shellcode, which will then be executed.\r\n\r\nUsing a NOP slide with shellcode can help to make exploits more reliable, as it provides a \"buffer\" of NOP instructions that can help to align the program's execution flow with the shellcode. This can help to prevent the exploit from failing due to small variations in the branch target address. It can also make it more difficult for defenses to detect and block the exploit, as the NOP instructions can help to obscure the shellcode.\r\n\r\nNOP slides are a simple but effective technique for directing program execution in situations where the exact branch target is not known. They can also be used in conjunction with other exploit techniques, such as return-oriented programming, to create more complex and powerful exploits.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://silviocesare.wordpress.com/2009/05/13/removing-semantic-nops-from-malware/",
"creation_date": "2019-03-23T17:46:42Z",
"tags": "NOP sled,\r\nNOP ramp,\r\nNOP padding,\r\nNOP sequence,\r\nNOP-based execution,\r\nInstruction padding,\r\nCode slide,\r\nBuffer overflow,\r\nReturn-oriented programming,\r\nExploit mitigation,\r\nShellcode execution,",
"modification_date": "2023-10-04T10:42:28.303000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
3
],
"contributors": []
},
{
"id": 124,
"key": "inline-hooking",
"unprotect_id": "U1211, F0015.002",
"name": "Inline Hooking",
"description": "Inline hooking is a technique used to intercept calls to target functions. It is commonly used by antiviruses, sandboxes, and malware to perform a variety of tasks, such as checking parameters, shimming, logging, spoofing returned data, and filtering calls.\r\n\r\nThe process of inline hooking involves directly modifying the code within the target function, usually by overwriting the first few bytes with a jump instruction to redirect execution to a different function. This allows processing to be performed before or after the target function executes. Rootkits often use hooks to modify data returned from system calls to hide their presence, while security software uses them to prevent or monitor potentially malicious operations.\r\n\r\nThe hooks are placed by directly modifying code within the target function (inline modification), usually by overwriting the first few bytes with a jump; this allows execution to be redirected before the function does any processing. Most hooking engines use a 32-bit relative jump (opcode 0xE9), which takes up five bytes of space.\r\n\r\nHere is a general outline of the process of implementing an inline hook:\r\n\r\n1. Determine the address of the target function and the code that needs to be replaced.\r\n\r\n2. Create a trampoline function that will be used to execute the original code from the target function after the hook has been applied.\r\n\r\n3. Calculate the relative address of the trampoline function and store it in a jump instruction.\r\n\r\n4. Overwrite the first few bytes of the target function with the jump instruction.\r\n\r\n5. Modify the hook function to transfer control back to the trampoline function after performing the desired processing.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.binaryguard.com/bgc/malware/sandbox/2015/11/09/dissecting_inline_hooks.html",
"creation_date": "2019-03-23T17:39:46Z",
"tags": "Inline hooking,\r\nIntercept calls,\r\nTarget functions,\r\nCheck parameters,\r\nShim,\r\nLog,\r\nSpoof returned data,\r\nFilter calls,\r\nRootkits,",
"modification_date": "2023-10-04T10:44:59.702000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 123,
"key": "lolbins",
"unprotect_id": "U1004",
"name": "LOLbins",
"description": "A lolbin (short for \"Living Off the Land Binaries\") is a legitimate Windows utility that can be used by adversaries to execute arbitrary commands. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, the Program Compatibility Assistant (pcalua.exe) and components of the Windows Subsystem for Linux (WSL) are examples of lolbins that can be used for this purpose.\r\n\r\nAdversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599\nhttps://lolbas-project.github.io/",
"creation_date": "2019-03-23T17:37:57Z",
"tags": "lolbin,\r\nWindows utilities,\r\nexecute commands,\r\nProgram Compatibility Assistant (pcalua.exe),\r\nWindows Subsystem for Linux (WSL),\r\nCommand-Line Interface,",
"modification_date": "2023-10-04T10:44:58.518000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 122,
"key": "com-hijacking",
"unprotect_id": "U1212",
"name": "COM Hijacking",
"description": "COM hijacking is a technique used by adversaries to insert malicious code into the Windows operating system through the Microsoft Component Object Model (COM). \r\n\r\nCOM is a system that allows software components to interact with each other, and adversaries can abuse this system to execute their own code in place of legitimate software. To achieve this, they alter references and relationships in the COM system by modifying the Windows Registry. Specifically, they replace a reference to a legitimate system component with a reference to their own malicious code. \r\n\r\nWhen the legitimate component is executed through normal system operation, the adversary's code is executed instead. This can provide a means for the adversary to achieve persistence, as they can choose to hijack objects that are used frequently enough to maintain a consistent level of persistence. However, they must be careful not to break noticeable functionality within the system, as this could cause system instability and potentially lead to detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.endgame.com/blog/technical-blog/how-hunt-detecting-persistence-evasion-com",
"creation_date": "2019-03-23T17:34:46Z",
"tags": "Microsoft Component Object Model (COM),\r\nsoftware components,\r\ninteraction,\r\nWindows operating system,\r\npersistence,",
"modification_date": "2023-10-04T10:43:57.166000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 121,
"key": "ctrlinject",
"unprotect_id": "U1213",
"name": "Ctrl+Inject",
"description": "The \"Control Signal Handler Callback\" technique involves injecting malicious code into a process by using a callback function for control signal handlers. When a control signal, such as Ctrl+C, is received by a process, the system creates a new thread to execute a function to handle the signal. This thread is typically created by the legitimate process \"csrss.exe\" in the system, making it more difficult to detect the injected code.\r\n\r\nTo successfully implement this technique, it is necessary to bypass certain Windows protections such as Pointer Encoding and Control Flow Guard. Pointer encoding is used to protect against pointer corruption, and the technique involves reproducing the encoding to appear legitimate. Control Flow Guard is a security mechanism that prevents memory corruption, such as buffer overflow, and the technique uses the API `SetProcessValidCallTargets` to validate the call target. By triggering a control signal, the injected code is executed.\r\n\r\nHere is a general outline of the process of injecting code using control signal handlers and callback functions:\r\n\r\n1. Determine the address of the callback function for control signals in the target process.\r\n\r\n2. Create a trampoline function that will be used to execute the original code from the callback function after the injection has been applied.\r\n\r\n3. Calculate the relative address of the trampoline function and store it in a jump instruction.\r\n\r\n4. Overwrite the callback function with the jump instruction and the address of the injected code.\r\n\r\n5. Modify the injected code to transfer control back to the trampoline function after executing the desired processing.\r\n\r\n6. Trigger a control signal, such as Ctrl+C, in the target process to execute the injected code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.ensilo.com/ctrl-inject",
"creation_date": "2019-03-23T17:34:01Z",
"tags": "callback function, control signal, process, system, thread, csrss.exe, detection, injection, code, console process, pointer encoding, Control Flow Guard, memory corruption, buffer overflow, SetProcessValidCallTargets",
"modification_date": "2023-10-04T10:43:59.300000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 120,
"key": "propagate",
"unprotect_id": "U1214",
"name": "Propagate",
"description": "This technique involves modifying the internal properties of a window in order to intercept and modify or monitor the behavior of the window when it receives messages. To do this, an application creates a buffer containing shellcode and injects it into the target process. \r\n\r\nThen, it modifies the internal structure used by the specific properties, such as UxSubclassInfo and CC32SubclassInfo, to point to the payload. \r\n\r\nFinally, the application modifies the property of the window. When a message is sent to the window, the shellcode is executed. This technique is known as Window Subclassing and is often used by adversaries to achieve persistence or execute malicious code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/",
"creation_date": "2019-03-23T17:32:45Z",
"tags": "Window Subclassing, Windows functionality, internal structure, UxSubclassInfo, CC32SubclassInfo, shellcode, target process, payload, message, injection",
"modification_date": "2023-10-04T10:42:30.209000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 119,
"key": "process-doppelganging",
"unprotect_id": "U1215",
"name": "Process Doppelgänging",
"description": "This technique leverages the `Transactional NTFS` functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform the modification, then commit the modification, avoiding any corruption. The modification either completes successfully or does not begin.\r\n\r\nProcess Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting in a process injection. The malicious file will be created inside a transaction then committed to the legitimate file, then executed.\r\n\r\nHere are the detailed steps to reproduce the Process Doppelgänging technique:\r\n\r\n1. Create a new transaction object using `NtCreateTransaction` and store the handle in `hTransaction`.\r\n\r\n2. Open the target file for the transaction using `CreateFileTransacted` and store the handle in `hTransactedFile`.\r\n\r\n3. Open the payload file using `CreateFile` and store the handle in hFile.\r\n\r\n4. Query the size of the payload file using `GetFileSizeEx` and store the result in `fsz`.\r\n\r\n5. Allocate a buffer for the payload file using `NtAllocateVirtualMemory` and store the pointer in Buffer.\r\n\r\n6. Read the payload file into the buffer using `ReadFile`.\r\n\r\n7. Close the handle to the payload file.\r\n\r\n8. Set the size of the target file using `SetFileInformationByHandle` and the `FileEndOfFileInfo` structure.\r\n\r\n9. Map the target file into memory using `NtMapViewOfSection` and store the result in `MemoryPtr`.\r\n\r\n10. Copy the payload file from the buffer into the mapped memory using `RtlCopyMemory`.\r\n\r\n11. Unmap the target file from memory using `NtUnmapViewOfSection`.\r\n\r\n12. Commit the transaction using `NtCommitTransaction`.\r\n\r\n13. Create a new process using `NtCreateUserProcess` and store the handle in `hProcess`.\r\n\r\n14. Allocate memory for the process parameters using `NtAllocateVirtualMemory` and store the result in `ProcessParameters`.\r\n\r\n15. Set the process parameters using `RtlCreateProcessParametersEx`.\r\n\r\n16. Create the process using `NtCreateSection` and `NtMapViewOfSection`.\r\n\r\n17. Start the process using `NtCreateThreadEx` and store the handle in `hThread`.\r\n\r\n18. Wait for the process to finish execution using `WaitForSingleObject`.\r\n\r\n19. Close the handle to the process and thread.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf",
"creation_date": "2019-03-23T17:31:06Z",
"tags": "Transactional NTFS, Windows, data integrity, write, modify file, unexpected error, transactional mode, commit, process injection, malicious file, legitimate file,",
"modification_date": "2023-10-04T10:45:01.173000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
13
],
"contributors": []
},
{
"id": 118,
"key": "pe-injection",
"unprotect_id": "U1216, E1055.002",
"name": "PE Injection",
"description": "Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling `CreateRemoteThread`).\r\n\r\nOne advantage of PE injection over the `LoadLibrary` technique is that the malware does not have to drop a malicious DLL on the disk. The malware allocates memory in a host process (e.g. `VirtualAllocEx`), and instead of writing a “DLL path” it writes its malicious code by calling `WriteProcessMemory`. However, the obstacle with this approach is the change of the base address of the copied image.\r\n\r\nWhen a malware injects its PE into another process it will have a new base address which is unpredictable, requiring it to dynamically recompute the fixed addresses of its PE. To overcome this, the malware needs to find its relocation table address in the host process and resolve the absolute addresses of the copied image by looping through its relocation descriptors.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://blog.sevagas.com/?PE-injection-explained",
"creation_date": "2019-03-23T17:30:20Z",
"tags": "",
"modification_date": "2023-10-04T10:42:59.673000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
24
],
"contributors": []
},
{
"id": 117,
"key": "iat-hooking",
"unprotect_id": "U1217, F0015.003",
"name": "IAT Hooking",
"description": "IAT hooking is a way to run malicious code by modifying the Import Address Table of a specific executable. Consisting of replacing one legitimate function from imported DLL by a malicious one. \r\n\r\nIAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, with inline hooking, malware modifies the API function itself.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108",
"creation_date": "2019-03-23T17:28:15Z",
"tags": "iat",
"modification_date": "2023-10-04T10:42:26.592000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 116,
"key": "injection-using-shims",
"unprotect_id": "U1218, E1055.m03",
"name": "Injection using Shims",
"description": "Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an executable for both persistence and injection. Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\nhttps://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf",
"creation_date": "2019-03-23T17:27:38Z",
"tags": "shims",
"modification_date": "2023-10-04T10:44:28.934000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 115,
"key": "extra-window-memory-injection",
"unprotect_id": "U1219, E1055.011",
"name": "Extra Window Memory Injection",
"description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). \r\n\r\nRegistration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.\r\n\r\nAdversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.crowdstrike.com/blog/through-window-creative-code-invocation/\nhttps://modexp.wordpress.com/2018/08/26/process-injection-ctray/",
"creation_date": "2019-03-23T17:26:37Z",
"tags": "EWMI, Code Injection",
"modification_date": "2023-10-04T10:43:53.882000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
24,
357,
425
],
"contributors": []
},
{
"id": 114,
"key": "atom-bombing",
"unprotect_id": "U1220",
"name": "Atom Bombing",
"description": "Atom Bombing is a technique that utilizes Windows Atom Tables, which provide a global storage mechanism for strings, to inject malicious code into a target process. \r\n\r\nThe technique involves storing a shellcode in an Atom Table, then using the `NtQueueApcThread` function to force the targeted process to access the specific Atom, causing the injection to occur. To bypass Data Execution Prevention (DEP), the technique also employs Return Oriented Programming (ROP) chains. \r\n\r\nAtom Bombing is a form of process injection that abuses legitimate Windows functions to store and execute malicious code in a target process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows",
"creation_date": "2019-03-23T17:22:37Z",
"tags": "Atom Bombing, Process injection, Windows functions, Atom Tables, Globally accessible string storage, shellcode, NtQueueApcThread, targeted process, Return Oriented Programming (ROP), Data Execution Prevention (DEP), injection, malicious code, Windows Atom Tables, global storage mechanism,",
"modification_date": "2023-10-04T10:42:35.764000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
6,
18,
21,
22,
24,
26,
27,
28,
29,
30,
357,
365,
412,
425
],
"contributors": []
},
{
"id": 113,
"key": "apc-injection",
"unprotect_id": "U1221, E1055.004",
"name": "APC injection",
"description": "Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.\r\n\r\nEach thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.\r\n\r\nA thread enters an alert table state if it calls `SleepEx`, `SignalObjectAndWait`, `MsgWaitForMultipleObjectsEx`, `WaitForMultipleObjectsEx`, or `WaitForSingleObjectEx` functions. The malware usually looks for any thread that is in an alterable state, and then calls `OpenThread` and `QueueUserAPC` to queue an APC to a thread.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-23T17:21:25Z",
"tags": "Asynchronous Procedure Calls (APC), custom code, APC Queue, target thread, alterable state, SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, WaitForSingleObjectEx, OpenThread, QueueUserAPC, Malware, thread, execution",
"modification_date": "2023-10-04T10:39:04.584000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
12,
13,
14,
15,
17,
18,
19,
21,
22,
24,
26,
27,
28,
29,
30
],
"contributors": []
},
{
"id": 112,
"key": "image-file-execution-options-injection",
"unprotect_id": "U1222",
"name": "Image File Execution Options Injection",
"description": "Image File Execution Options Injection, also known as IFEO Injection, is a technique used by malware to evade detection and persist on a compromised system. \r\n\r\nThe technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating system checks the corresponding IFEO registry key for any specified debugging options. If the key exists, the operating system launches the specified debugger instead of the executable file. \r\n\r\nAlong with IFEO, malware also uses other registry keys such as `Appinit_DLL` and `AppCertDlls` for both injection and persistence on the compromised system. These keys are used by the operating system to load DLLs at the start of a process and for code signing, respectively.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-23T17:19:27Z",
"tags": "Image File Execution Options Injection, IFEO Injection, malware, evasion, detection, persistence, compromised system, registry keys, Windows operating system, debugging options, executable files, Appinit_DLL, AppCertDlls, injection, DLLs, code signing,de signing,",
"modification_date": "2023-10-04T10:44:02.397000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 111,
"key": "thread-execution-hijacking",
"unprotect_id": "U1223, E1055.003",
"name": "Thread Execution Hijacking",
"description": "Thread execution hijacking is a technique used by malware to evade detection by targeting an existing thread of a process and avoiding any noisy process or thread creation operations. This technique allows the malware to run its code within the context of the targeted thread, without creating new processes or threads, which can be easily detected by security software.\r\n\r\nDuring analysis, it is possible to observe calls to `CreateToolhelp32Snapshot` and `Thread32First` functions followed by `OpenThread`, which are used by the malware to enumerate and select the target thread.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-23T17:16:57Z",
"tags": "thread execution hijacking, malware, evading detection, existing thread, process, avoiding noisy process, thread creations operations, analysis, CreateToolhelp32Snapshot, Thread32First,",
"modification_date": "2023-10-04T10:42:29.198000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
18,
28,
29,
30
],
"contributors": []
},
{
"id": 110,
"key": "reflective-dll-injection",
"unprotect_id": "U1224",
"name": "Reflective DLL injection",
"description": "Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a `LoadLibrary` function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.\r\n\r\nThe way the reflective injection works is described by the technique's original author Stephen Fewer:\r\n\r\n* Execution is passed, either via `CreateRemoteThread` or a tiny bootstrap shellcode, to the library's\r\n\r\n* ReflectiveLoader function which is an exported function found in the library's export table.\r\n\r\n- As the library's image will currently exists in an arbitrary location in memory the ReflectiveLoader will first calculate its own image's current location in memory so as to be able to parse its own headers for use later on.\r\n\r\n- The ReflectiveLoader will then parse the host processes kernel32.dll export table in order to calculate the addresses of three functions required by the loader, namely `LoadLibraryA`, `GetProcAddress` and `VirtualAlloc`.\r\n\r\n- The ReflectiveLoader will now allocate a continuous region of memory into which it will proceed to load its own image. The location is not important as the loader will correctly relocate the image later on.\r\n\r\n- The library's headers and sections are loaded into their new locations in memory.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's import table, loading any additional library's and resolving their respective imported function addresses.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's relocation table.\r\n\r\n- The ReflectiveLoader will then call its newly loaded image's entry point function, DllMain with `DLL_PROCESS_ATTACH`. The library has now been successfully loaded into memory.\r\n\r\n- Finally, the ReflectiveLoader will return execution to the initial bootstrap shellcode which called it, or if it was called via `CreateRemoteThread`, the thread will terminate.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://0x00sec.org/t/reflective-dll-injection/3080\nhttps://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection",
"creation_date": "2019-03-23T17:13:35Z",
"tags": "",
"modification_date": "2023-10-04T10:42:57.942000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
357,
365,
425
],
"contributors": []
},
{
"id": 109,
"key": "suspendthread",
"unprotect_id": "U0101, C0055",
"name": "SuspendThread",
"description": "Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the `SuspendThread` function from the kernel32.dll library or the `NtSuspendThread` function from the NTDLL.DLL library. \r\n\r\nThe malware can enumerate the threads of a given process, or search for a named window and open its owner thread, and then suspend that thread. This will prevent the debugger from running and make it more difficult to analyze the code. \r\n\r\nThis technique can be used by malware authors to evade detection and analysis, and make their code more difficult to understand.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread\nhttp://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtSuspendThread.htmlhttps://secret.club/2021/01/04/thread-stuff.html",
"creation_date": "2019-03-23T17:09:11Z",
"tags": "SuspendThread,\r\nNtSuspendThread,\r\nDebugging,\r\nAnti-debugging,\r\nThread enumeration,\r\nProcess enumeration,",
"modification_date": "2023-10-04T10:44:18.329000Z",
"category": [
3
],
"rules": [
65
],
"attachments": [],
"featured_api": [
18,
26,
27,
28,
29,
30,
412
],
"contributors": []
},
{
"id": 108,
"key": "guard-pages",
"unprotect_id": "U0102, B0006.006",
"name": "Guard Pages",
"description": "Memory breakpoints are a technique used by malware to detect if a debugger is present. This technique involves setting up a \"guard page\" in memory, which is a page of memory that is protected by the operating system and cannot be accessed by normal code. If a debugger is present, the malware can use this guard page to detect its presence.\r\n\r\nThis technique works by putting a return address onto the stack, then accessing the guard page. If the operating system detects that the guard page has been accessed, it will raise a STATUS_GUARD_PAGE_VIOLATION exception. The malware can then check for this exception, and if it is present, it can assume that no debugging is taking place. This allows the malware to evade detection and continue to operate without being interrupted by a debugger.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/",
"creation_date": "2019-03-23T17:05:57Z",
"tags": "Memory breakpoints,\r\nGuard pages,\r\nDebugger detection,\r\nSTATUS_GUARD_PAGE_VIOLATION,",
"modification_date": "2023-10-04T10:44:17.143000Z",
"category": [
3
],
"rules": [
68
],
"attachments": [],
"featured_api": [
3
],
"contributors": []
},
{
"id": 107,
"key": "ntsetdebugfilterstate",
"unprotect_id": "U0103",
"name": "NtSetDebugFilterState",
"description": "The `NtSetDebugFilterState` and `DbgSetDebugFilterState` functions are used by malware to detect the presence of a kernel mode debugger. These functions allow the malware to set up a debug filter, which is a mechanism that can be used to detect and respond to the presence of a debugger.\r\n\r\nWhen a kernel mode debugger is present, the debug filter will be triggered, and the malware can then take actions to evade detection and continue to operate. This technique is commonly used by malware to avoid analysis by security researchers and avoid being detected by security software. By using these functions, the malware can operate stealthily and evade detection, making it difficult for analysts to reverse engineer the malware and understand its capabilities and behaviors.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-23T17:00:59Z",
"tags": "NtSetDebugFilterState,\r\nDbgSetDebugFilterState,\r\nKernel mode debugger detection,\r\nDebug filter,",
"modification_date": "2022-12-06T09:47:13.926000Z",
"category": [
3
],
"rules": [
66
],
"attachments": [
"b913237e-4937-4062-9187-b752a00d818c"
],
"featured_api": [
425
],
"contributors": []
},
{
"id": 106,
"key": "code-cave",
"unprotect_id": "U0502",
"name": "Code Cave",
"description": "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://resources.infosecinstitute.com/injecting-spyware-exe-code-injections/",
"creation_date": "2019-03-23T16:53:39Z",
"tags": "",
"modification_date": "2023-10-04T10:42:32.184000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
4,
5
]
},
{
"id": 105,
"key": "stolen-certificate",
"unprotect_id": "U0503",
"name": "Stolen certificate",
"description": "To avoid detection, attackers can use stolen certificates from known companies. It allows the malware to bypass security solution.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
"creation_date": "2019-03-23T16:51:37Z",
"tags": "",
"modification_date": "2023-10-04T10:42:24.333000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 104,
"key": "redirect-antivirus-website",
"unprotect_id": "U0504",
"name": "Redirect Antivirus Website",
"description": "To avoid connection to anti malware website, malware can modify the host file to redirect the connexion.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/",
"creation_date": "2019-03-23T16:44:11Z",
"tags": "",
"modification_date": "2023-10-04T10:42:24.854000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 103,
"key": "time-bomb",
"unprotect_id": "U1005, B0007.008",
"name": "Time Bomb",
"description": "Some malware contains a built-in expiration date, after which the malware will no longer run or function. This can be used by attackers to limit the time during which the malware can be detected and analyzed by security researchers. In order to run and analyze the malware after its expiration date, security researchers must manually change the date on the machine where the malware is being analyzed. \r\n\r\nThis can be effective in defeating sandbox environments, which are typically used to isolate and analyze malware, if the sandbox's clock is not set to the current date. By using this technique, attackers can make it more difficult for researchers to analyze and understand their malware, potentially allowing it to evade detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://en.wikipedia.org/wiki/Time_bomb_(software)",
"creation_date": "2019-03-18T14:56:28Z",
"tags": "timebomb,\r\nchange date,\r\nsandbox environments,\r\nisolate malware,\r\nanalyze malware,\r\nclock,",
"modification_date": "2023-10-04T10:42:26.818000Z",
"category": [
1,
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 102,
"key": "shortcut-hiding",
"unprotect_id": "U0505",
"name": "Shortcut Hiding",
"description": "Windows shortcut can be used to store code that downloads a malicious file from the internet, or that stores the malicious file directly within the shortcut itself. This can make it difficult for antivirus software to detect the malicious application, as the file is not stored in a typical location on the computer. Additionally, the use of a shortcut can make it easier for the attacker to hide the malicious code and evade detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-18T14:56:11Z",
"tags": "Windows shortcut,\r\nAntivirus software,\r\nHide code,\r\nEvade detection,",
"modification_date": "2023-10-04T10:38:07.524000Z",
"category": [
2
],
"rules": [
130
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 101,
"key": "geofencing",
"unprotect_id": "U1006",
"name": "Geofencing",
"description": "Geofencing in malware refers to a technique used by cybercriminals to restrict the distribution or activation of malicious software based on geographical location. Malware authors use geofencing to target specific regions or avoid certain areas, such as their home country, in order to evade detection, minimize the chances of being investigated, or maximize the effectiveness of their attacks.\r\n\r\nGeofencing works by checking the IP address, GPS coordinates, or other location data of a potential victim's device. If the device is within the predetermined boundaries defined by the attacker, the malware may proceed with its intended actions, such as infecting the device, stealing data, or launching further attacks. Conversely, if the device is outside the defined boundaries, the malware may remain dormant or deactivate itself to avoid detection.\r\n\r\nMalware authors might use geofencing for various reasons, such as:\r\n\r\n\r\n1. **Targeting specific countries or regions:** Attackers may focus on certain areas due to economic, political, or strategic reasons, or to exploit known vulnerabilities in specific regions.\r\n\r\n2. **Avoiding detection by security researchers:** By restricting the distribution of malware to specific regions, attackers may make it more difficult for security researchers to obtain and analyze samples of the malicious software.\r\n\r\n3. **Evading law enforcement:** By not targeting their own country, cybercriminals can minimize the risk of drawing the attention of local law enforcement agencies.\r\n\r\n4. **Complying with criminal partnerships:** Some cybercriminal groups may have agreements not to target each other's territories, and geofencing allows them to abide by these agreements while still conducting their operations.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.vmray.com/cyber-security-blog/sandbox-evasion-techniques-part-4/",
"creation_date": "2019-03-18T14:54:34Z",
"tags": "geofencing, malware, cybercriminals, geographical location, IP address, GPS coordinates, location data, victim's device, predetermined boundaries, distribution, activation, malicious software, targeting, regions",
"modification_date": "2023-10-04T10:44:25.920000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 100,
"key": "custom-encoding",
"unprotect_id": "U0702,E1027.m03",
"name": "Custom Encoding",
"description": "Malware often uses custom encoding schemes to conceal their payloads and avoid detection. These custom schemes can be full custom layers, or they can be variations of known algorithms such as XOR or Base64. Using custom encoding schemes allows malware to encode their payloads in a unique way that can be difficult for security tools and forensic investigators to detect. \r\n\r\nIn some cases, the custom encoding scheme may be a combination of different algorithms, such as using XOR to encrypt the payload and then using Base64 to encode the resulting ciphertext. This can make the encoded payload even more difficult to detect and analyze.\r\n\r\nTo safeguard payloads and communication channels, multiple data encoding operations (e.g., XOR, ADD, SUB, ROL, and ROR) can also be chained together with a randomly generated key. These operations are not only simple to execute and reverse but also demand minimal computing resources.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation-techniques-in-malware/",
"creation_date": "2019-03-18T14:54:13Z",
"tags": "Custom encoding schemes,\r\nConceal,\r\nPayloads,\r\nFull custom layers,\r\nVariations,\r\nKnown algorithms,\r\nXOR,\r\nBase64,",
"modification_date": "2023-10-04T10:44:46.799000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 99,
"key": "cryptography",
"unprotect_id": "U0703, E1027.m04",
"name": "Cryptography",
"description": "Cryptography is a technique often used by malware to protect against analysis or to perform malicious actions such as in ransomware attacks. In these cases, malware will use cryptography to encrypt their payloads or communication channels in order to make it difficult for security tools and forensic investigators to detect and analyze their activities. \r\n\r\nAdditionally, cryptography can be used by malware to make their payloads more difficult to reverse engineer, making it harder for researchers to understand their inner workings and develop effective countermeasures.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schmitt-A-Different-Kind-of-Crypto-Slides.pdf",
"creation_date": "2019-03-18T14:53:51Z",
"tags": "Cryptography,\r\nRansomware,\r\nEncrypt,\r\nPayloads,\r\nCommunication channels,",
"modification_date": "2023-10-04T10:44:21.880000Z",
"category": [
7
],
"rules": [
42
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 98,
"key": "rol",
"unprotect_id": "U0704",
"name": "ROL",
"description": "ROL, or Rotate Left, is a simple encoding algorithm similar to the Caesar Cipher. In the ROL algorithm, each letter of the plaintext is replaced with a letter that is a fixed number of positions down the alphabet. For example, if the rotation value is 3, then the letter \"A\" would be replaced with \"D\", \"B\" would be replaced with \"E\", and so on. \r\n\r\nROL is a monoalphabetic substitution cipher, meaning that each letter of the plaintext is replaced with the same letter of the ciphertext every time it appears. This makes ROL relatively easy to break, as frequency analysis can be used to determine the rotation value and decrypt the ciphertext. \r\n\r\nDespite its weaknesses, ROL is still a popular algorithm for teaching the basics of cryptography. In the context of malware, ROL can be used to encode the payload or communication channels in order to avoid detection and analysis.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
"creation_date": "2019-03-18T14:53:31Z",
"tags": "ROL,\r\nCaesar Cipher,\r\nEncoding algorithm,\r\nPlaintext,\r\nCiphertext,\r\nRotation value,\r\nMonoalphabetic substitution cipher,\r\nFrequency analysis,",
"modification_date": "2023-10-04T10:42:51.702000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 97,
"key": "caesar-cipher",
"unprotect_id": "U0705",
"name": "Caesar Cipher",
"description": "The Caesar Cipher is a simple encoding algorithm that was used during the Roman Empire to hide secret messages. In this algorithm, each letter of the plaintext is replaced with a letter that is a fixed number of positions down the alphabet. For example, if the shift value is 3, then the letter \"A\" would be replaced with \"D\", \"B\" would be replaced with \"E\", and so on. \r\n\r\nThe Caesar Cipher is a monoalphabetic substitution cipher, meaning that each letter of the plaintext is replaced with the same letter of the ciphertext every time it appears. This makes the Caesar Cipher relatively easy to break, as frequency analysis can be used to determine the shift value and decrypt the ciphertext. \r\n\r\nThe Caesar Cipher algorithm can be used by malware in several ways. One possible use case is to encode the payload or command and control (C2) communication in order to make it more difficult for security tools and forensic investigators to detect and analyze. \r\n\r\nAnother possible use case is to use the Caesar Cipher as part of a more complex encoding scheme, such as using it to encrypt the payload and then using another algorithm, such as Base64, to encode the resulting ciphertext. This can make the encoded payload even more difficult to detect and analyze. In both cases, the use of the Caesar Cipher can help the malware avoid detection and continue operating on a compromised system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
"creation_date": "2019-03-18T14:53:09Z",
"tags": "Caesar Cipher,\r\nEncoding algorithm,\r\nRoman Empire,\r\nSecret message,\r\nMonoalphabetic substitution cipher,\r\nPlaintext,\r\nCiphertext,\r\nShift value,\r\nFrequency analysis,",
"modification_date": "2023-10-04T10:42:42.092000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 96,
"key": "base64",
"unprotect_id": "U0706, E1027.m02",
"name": "Base64",
"description": "Base64 is a simple encoding scheme that is often used by malware to represent binary data in an ASCII string. This allows the malware to encode and transmit binary data, such as a payload or network traffic, in a way that is more compact and easier to transmit over text-based communication channels. \r\n\r\nBase64 uses a 64-character alphabet to encode the data, which includes the upper and lower case letters, the digits 0-9, and the symbols \"+\" and \"/\". The encoded data is typically padded with the character \"=\" to ensure that it has a length that is a multiple of 4. The encoded data can then be decoded using the same 64-character alphabet to recover the original binary data. This makes Base64 a useful tool for malware to conceal their payloads and communicate with their command and control (C2) servers.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://medium.com/@bromiley/malware-monday-obfuscation-f65239146db0",
"creation_date": "2019-03-18T14:52:37Z",
"tags": "Base64,\r\nBinary data,\r\nASCII string,\r\nEncoding,\r\nText-based communication channels,\r\n64-character alphabet,\r\nPadded,",
"modification_date": "2024-01-11T05:22:12.678000Z",
"category": [
7
],
"rules": [
146
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
33
]
},
{
"id": 95,
"key": "xor-operation",
"unprotect_id": "U0701,E1027.m02",
"name": "XOR Operation",
"description": "The XOR operation is a common technique used by malware to hide data. This is because it is a simple and reversible function, meaning that the same operation can be used to both encode and decode data. In the XOR operation, a key is used to create a ciphertext, which is then used to encrypt the original data. \r\n\r\nThe encrypted data can then be decrypted using the same key, allowing the original data to be accessed. The XOR operation is often used by malware because it is easy to implement and can be used to effectively conceal data from detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://isc.sans.edu/forums/diary/Malware+and+XOR+Part+1/22486/",
"creation_date": "2019-03-18T14:52:04Z",
"tags": "XOR operation,\r\nKey,\r\nCiphertext,\r\nReversible function,\r\nEncode,\r\nDecode,\r\nEncrypt,\r\nDecrypt,",
"modification_date": "2024-01-04T05:14:05.126000Z",
"category": [
7
],
"rules": [
131,
136
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 94,
"key": "fileless-mechanisms",
"unprotect_id": "U1205, B0027.001",
"name": "FIleless Mechanisms",
"description": "Fileless malware is a type of malware that is designed to reside and execute entirely in the memory of a host system, without leaving any trace on the local disk. This can make it more difficult for security tools to detect and remove the malware, as it does not leave any files on the system that can be scanned or deleted.\r\n\r\nFileless malware is typically delivered through a variety of means, such as email attachments, malicious websites, or exploit kits. Once it has been delivered to the host system, it may use a variety of techniques to avoid detection and persist in the memory of the system. This can include modifying system settings, injecting code into legitimate processes, or using fileless malware-specific tools and frameworks.\r\n\r\nFileless malware can be difficult to detect and mitigate, as it does not leave any physical evidence on the system and can often evade traditional security measures that rely on scanning and analyzing the local disk. As a result, it is important for individuals and organizations to take steps to protect themselves against this type of malware, such as by keeping their systems and applications up to date, practicing safe browsing habits, and using security software that is designed to detect and mitigate fileless malware threats.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.minerva-labs.com/deconstructing-fileless-attacks-into-4-underlying-techniques",
"creation_date": "2019-03-18T14:48:03Z",
"tags": "Fileless malware,\r\nMemory,\r\nEmail attachments,\r\nMalicious websites,\r\nExploit kits,\r\nSystem settings,\r\nLegitimate processes,\r\nFileless malware-specific tools,",
"modification_date": "2023-10-04T10:43:48.702000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 93,
"key": "dll-injection-via-createremotethread-and-loadlibrary",
"unprotect_id": "U1226, E1055.001",
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"description": "DLL Injection Via `CreateRemoteThread` and `LoadLibrary` is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.\r\n\r\nThe malware writes the path to its malicious dynamic-link library (DLL) in the virtual address space of the target process, and then creates a remote thread in the target process. The thread's start address is the `LoadLibrary` function, which is used to load the malicious DLL into the target process's address space. This allows the malware to execute its code within the context of the target process, without creating new processes or threads.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-18T14:47:37Z",
"tags": "DLL Injection, CreateRemoteThread, LoadLibrary, malware, hook injection, process, system, code injection, legitimate process, virtual address space, remote thread, target process, LoadLibrary function, malicious DLL, execution,",
"modification_date": "2023-10-04T10:43:55.058000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
5,
6,
24,
425
],
"contributors": []
},
{
"id": 92,
"key": "hook-injection",
"unprotect_id": "U1227, E1055.m01",
"name": "Hook Injection",
"description": "Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.\r\n\r\nIn the case of Windows, the `SetWindowsHookEx` function can be used by programs to install hooks that monitor events such as mouse clicks and keyboard key presses. This can enable malware to monitor user actions and steal sensitive information or perform other malicious actions. By using hook injection, malware can evade detection and continue to operate stealthily within a system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\nhttps://www.ired.team/offensive-security/code-injection-process-injection/setwindowhookex-code-injection",
"creation_date": "2019-03-18T14:47:10Z",
"tags": "Hook injection, malware, internal functions, operating system, application, malicious code, existing function calls, intercept, manipulate, normal flow of execution, SetWindowsHookEx function,",
"modification_date": "2023-10-04T10:44:04.798000Z",
"category": [
4
],
"rules": [
118,
119
],
"attachments": [],
"featured_api": [
117,
131
],
"contributors": []
},
{
"id": 91,
"key": "entry-point-modification",
"unprotect_id": "U1228",
"name": "Entry Point Modification",
"description": "The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/",
"creation_date": "2019-03-18T14:46:26Z",
"tags": "entry point, executable file, execution, malware, techniques, changing, relocating, real entry point, protect code, analysis, security software, identification,",
"modification_date": "2023-10-04T10:42:18.759000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 90,
"key": "parent-process-detection",
"unprotect_id": "U0404",
"name": "Parent Process Detection",
"description": "Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it. \r\n\r\nFor example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored by security analysts. If the parent process is not explorer.exe, then the process is likely being monitored and the malware can take evasive action, such as terminating itself.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/",
"creation_date": "2019-03-18T14:46:02Z",
"tags": "Process,\r\nSpawn,\r\nExplorer.exe,\r\nMonitoring,\r\nEvasive action,\r\nTermination,\r\nEncryption,",
"modification_date": "2023-10-04T10:42:17.040000Z",
"category": [
6
],
"rules": [
127
],
"attachments": [],
"featured_api": [
26,
27,
28
],
"contributors": []
}
]
}
