Search Evasion Techniques
Names, Techniques, Definitions, Keywords
12 item(s) found so far for this keyword.
Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.
It uses the
NtCreateProcess[Ex] primitives, along with the
PROCESS_DUP_HANDLE flags to reflect and execute code in a new process.
The technique also makes use of various methods, such as …
This technique leverages the
Transactional NTFS functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform …
Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded.
Windows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with
FILE_WRITE_DATA (to modify it) will fail with
ERROR_SHARING_VIOLATION. Deletion attempts via
FILE_FLAG_DELETE_ON_CLOSE fail with
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of the …
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the
CreateThreadpoolWait function, which is a part of the Windows thread pool API.
In the context of shellcode injection,
CreateThreadpoolWait is used to create a wait object that is associated with …
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.
GetThreadContext: retrieves the …
Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.
The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of …
This function is undocumented within
OpenProcess. It can be used to get the PID of CRSS.exe, which is a
SYSTEM process. By default, a process has the
SeDebugPrivilege privilege in their access token disabled.
However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the
SeDebugPrivilege privilege is enabled. If a process is able to …
Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.
Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access …
Malware can use various techniques to evade detection and disrupt the efforts of security professionals to analyze it. One such technique is to kill processes that are related to anti-virus software or monitoring tools.
For example, malware may target processes such as wireshark.exe, ida.exe, or procmon.exe, which are commonly used by security professionals to monitor and analyze running processes on …