System Binary Proxy Execution: Rundll32 Defense Evasion [Mitre]

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).

Rundll32.exe can also be used to execute …

Rogue Domain Controller Defense Evasion [Mitre]

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be …

Obscuring Control Flow Anti-Disassembly

Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.

One example of this …

Control Flow Graph Flattening Anti-Disassembly

Control flow flattening is a technique used to obfuscate the control flow of a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique involves breaking up the nesting of loops and if-statements in a program, and then hiding each of them in a case of a large switch statement. This …

Obscuring Control Flow Using Pointers Anti-Disassembly

The use of pointers in a program can be an issue for disassemblers, because pointers can be used in complex ways that are difficult for the disassembler to accurately interpret. This can make it more difficult for the disassembler to generate correct disassembly output, and can also make it more difficult for analysts to understand the program's behavior.

Pointers are …

Bypass User Account Control Defense Evasion [Mitre]

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.

The impact to the user ranges from denying the operation under high enforcement to …

ConfuserEx Packers

ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project.

Supports .NET Framework 2.0/3.0/3.5/4.0/4.5/4.6/4.7/4.8
Symbol renaming (Support WPF/BAML)
Protection against debuggers/profilers
Protection against memory dumping
Protection against tampering (method encryption)
Control flow obfuscation
Constant/resources encryption
Reference hiding proxies
Disable decompilers
Embedding dependency
Compressing output

C2 via Social Networks Network Evasion

Malware often relies on a communication channel with its operator in order to receive instructions and updates. This channel is known as a command and control (C&C or C2) channel. C&C channels can take various forms, such as internet relay chat (IRC), peer-to-peer protocols, and even social media. The use of C&C channels allows the operator to remotely control the …

Search Evasion Techniques

Search Result