Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
56 item(s) found so far for this keyword.
DLL Injection via CreateRemoteThread and LoadLibrary Process Manipulating
DLL Injection Via CreateRemoteThread
and LoadLibrary
is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.
The malware writes the path …
Process Injection: Thread Local Storage Defense Evasion [Mitre]
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to …
Process Injection: Process Doppelgänging Defense Evasion [Mitre]
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, …
Dirty Vanity Process Manipulating
Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.
It uses the RtlCreateProcessReflection
or NtCreateProcess[Ex]
primitives, along with the PROCESS_VM_OPERATION
, PROCESS_CREATE_THREAD
, and PROCESS_DUP_HANDLE
flags to reflect and execute code in a new process.
The technique also makes use of various methods, such as …
Shellcode Injection via CreateThreadpoolWait Process Manipulating
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the CreateThreadpoolWait
function, which is a part of the Windows thread pool API.
In the context of shellcode injection, CreateThreadpoolWait
is used to create a wait object that is associated with …
Process Injection: Asynchronous Procedure Call Defense Evasion [Mitre]
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.
APC injection is commonly performed by attaching malicious code to the APC Queue of a process's …
Hijack Execution Flow: KernelCallbackTable Defense Evasion [Mitre]
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.
An adversary may hijack the execution flow of a process using …
Ctrl+Inject Process Manipulating
The "Control Signal Handler Callback" technique involves injecting malicious code into a process by using a callback function for control signal handlers. When a control signal, such as Ctrl+C, is received by a process, the system creates a new thread to execute a function to handle the signal. This thread is typically created by the legitimate process "csrss.exe" in the …
Process Hollowing, RunPE Process Manipulating
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess
: in a suspended mode with the CreationFlag at 0x0000 0004.GetThreadContext
: retrieves the …
Atom Bombing Process Manipulating
Atom Bombing is a technique that utilizes Windows Atom Tables, which provide a global storage mechanism for strings, to inject malicious code into a target process.
The technique involves storing a shellcode in an Atom Table, then using the NtQueueApcThread
function to force the targeted process to access the specific Atom, causing the injection to occur. To bypass Data Execution …