Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
8 item(s) found so far for this keyword.
Dirty Vanity Process Manipulating
Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.
It uses the RtlCreateProcessReflection
or NtCreateProcess[Ex]
primitives, along with the PROCESS_VM_OPERATION
, PROCESS_CREATE_THREAD
, and PROCESS_DUP_HANDLE
flags to reflect and execute code in a new process.
The technique also makes use of various methods, such as …
Process Herpaderping Process Manipulating
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of the …
Process Reimaging Process Manipulating
Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.
The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of …
CsrGetProcessID Anti-Debugging
This function is undocumented within OpenProcess
. It can be used to get the PID of CRSS.exe, which is a SYSTEM
process. By default, a process has the SeDebugPrivilege
privilege in their access token disabled.
However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the SeDebugPrivilege
privilege is enabled. If a process is able to …
Access Token Manipulation: Create Process with Token Defense Evasion [Mitre]
Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.
Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access …
Kill Process Anti-Monitoring
Malware can use various techniques to evade detection and disrupt the efforts of security professionals to analyze it. One such technique is to kill processes that are related to anti-virus software or monitoring tools.
For example, malware may target processes such as wireshark.exe, ida.exe, or procmon.exe, which are commonly used by security professionals to monitor and analyze running processes on …
Parent Process Detection Anti-Monitoring
Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it.
For example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored by …
NtQueryInformationProcess Anti-Debugging
This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the ProcessDebugPort (0x7)
information class.
A nonzero value returned by the call indicates that the process is being debugged.