Search Evasion Techniques
Names, Techniques, Definitions, Keywords
52 item(s) found so far for this keyword.
Call to Interrupt Procedure Anti-Debugging
This anti-debugging technique involves using the
INT n instruction to generate a call to the interrupt or exception handler specified with the destination operand.
To implement this technique, the int
0x03 instruction is executed, followed by a
ret (0xCD03, 0xC3) nested in a
__try, __except block. If a debugger is present, the except block will not be executed, and …
Return Address Spoofing Antivirus/EDR Evasion
Return Address Spoofing is a technique used in x64 architecture to bypass the limitations of the x64 fastcall mechanism. The traditional method of spoofing return addresses in x86 (e.g. using a ret in a game module as a trampoline) is not feasible in x64 due to caller cleanup and red zone.
To overcome this, the code creates a temporary storage …
Subvert Trust Controls: SIP and Trust Provider Hijacking Defense Evasion [Mitre]
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be …
ProcEnvInjection - Remote code injection by abusing process environment strings Process Manipulating
This method allows to inject custom code into a remote process without using
WriteProcessMemory - It will use the
lpEnvironment parameter in
CreateProcess to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.
lpEnvironment parameter in
CreateProcess allows us to specify …
Process Injection: Extra Window Memory Injection Defense Evasion [Mitre]
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance …
Modify Authentication Process: Reversible Encryption Defense Evasion [Mitre]
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require …
Template Injection Defense Evasion [Mitre]
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, …
Domain Policy Modification: Group Policy Modification Defense Evasion [Mitre]
Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies. …
NOP Sled Anti-Disassembly
In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will "slide" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution …
OLEUM Process Manipulating
Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they …