Search Evasion Techniques
Names, Techniques, Definitions, Keywords
44 item(s) found so far for this keyword.
Virtualization/Sandbox Evasion: Time Based Evasion Defense Evasion [Mitre]
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. …
Hook Injection Process Manipulating
Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.
In the case of Windows, the
SetWindowsHookEx function can be used by programs to install …
Obfuscated Files or Information: Dynamic API Resolution Defense Evasion [Mitre]
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
API functions called by malware may leave static artifacts such as strings in …
Shellcode Injection via CreateThreadpoolWait Process Manipulating
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the
CreateThreadpoolWait function, which is a part of the Windows thread pool API.
In the context of shellcode injection,
CreateThreadpoolWait is used to create a wait object that is associated with …
Onset Delay Sandbox Evasion
Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.
The purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis systems …
DbgSetDebugFilterState functions are used by malware to detect the presence of a kernel mode debugger. These functions allow the malware to set up a debug filter, which is a mechanism that can be used to detect and respond to the presence of a debugger.
When a kernel mode debugger is present, the debug filter will be triggered, …
DNS API Injection Process Manipulating
DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code …
Hell's Gate Antivirus/EDR Evasion
The Hell's Gate technique refers to a specific method used by malware authors to make their software more difficult to detect and analyze. The technique involves the use of a custom native API resolver to resolve Windows API functions at runtime dynamically.
By using Hell's Gate, malware can avoid referencing the Windows API functions directly in the Import Address Table …
FLIRT Signatures Evasion Anti-Disassembly
FLIRT Signature evasion is a technique used by malware to hide malicious code inside legitimate functions from known libraries. FLIRT (Fast Library Identification and Recognition Technology) is a database that contains signature patterns for identifying known functions from legitimate libraries.
Malware authors can abuse these signatures by modifying or adding specific bytes to the code, so that it appears to …
Unloading Module with FreeLibrary Antivirus/EDR Evasion
Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.
To do this, the malware first uses the
GetModuleHandleA function to retrieve a handle to the DLL, if …