Search Evasion Techniques
Names, Techniques, Definitions, Keywords
64 item(s) found so far for this keyword.
XSL Script Processing Defense Evasion [Mitre]
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages.
Adversaries may abuse this functionality to execute arbitrary files while …
Image File Execution Options Injection Process Manipulating
Image File Execution Options Injection, also known as IFEO Injection, is a technique used by malware to evade detection and persist on a compromised system.
The technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating …
Entry Point Modification Process Manipulating
The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.
Masquerading: Double File Extension Defense Evasion [Mitre]
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how …
Indirect Command Execution Defense Evasion [Mitre]
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd.
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage …
System Script Proxy Execution: PubPrn Defense Evasion [Mitre]
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com. …
Obfuscated Files or Information: Steganography Defense Evasion [Mitre]
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image …
Trusted Developer Utilities Proxy Execution: MSBuild Defense Evasion [Mitre]
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild …
Process Injection: Dynamic-link Library Injection Defense Evasion [Mitre]
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before …
Process Injection: Portable Executable Injection Defense Evasion [Mitre]
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target …