Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
117 item(s) found so far for this keyword.
Dirty Vanity Process Manipulating
Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.
It uses the RtlCreateProcessReflection
or NtCreateProcess[Ex]
primitives, along with the PROCESS_VM_OPERATION
, PROCESS_CREATE_THREAD
, and PROCESS_DUP_HANDLE
flags to reflect and execute code in a new process.
The technique also makes use of various methods, such as …
Hijack Execution Flow: KernelCallbackTable Defense Evasion [Mitre]
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.
An adversary may hijack the execution flow of a process using …
Reflective Code Loading Defense Evasion [Mitre]
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs …
Process Injection: Thread Execution Hijacking Defense Evasion [Mitre]
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with …
DLL Injection via CreateRemoteThread and LoadLibrary Process Manipulating
DLL Injection Via CreateRemoteThread
and LoadLibrary
is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.
The malware writes the path …
Process Injection: Thread Local Storage Defense Evasion [Mitre]
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to …
Process Reimaging Process Manipulating
Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.
The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of …
Modify Authentication Process: Hybrid Identity Defense Evasion [Mitre]
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure …
Hide Artifacts: Process Argument Spoofing Defense Evasion [Mitre]
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor …
Process Injection: Process Doppelgänging Defense Evasion [Mitre]
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, …