Search For Content
Search Result
62 item(s) found so far for this keyword.
CPU Counting
In many sandboxes, due to virtualization constraints, the number of CPUs may be limited to one. However, in the real world, all x86 CPUs have been sold with multiple cores or at least hyperthreading for over a decade.
As a result, it is sometimes possible to detect virtualization or sandboxing by examining the number of CPUs on the system. …
Read moreDomain Member
This technique determines if a host is a member of an Active Directory Domain without API calls. It helps prevent malicious payload execution in enterprise sandboxes that are not members of an Active Directory domain. The validation is done by checking the "LoggonServer" and "ComputerName" environment variables. If the host is logged into a domain controller, the "LoggonServer" value will …
Read moreProcess Injection: Dynamic-link Library Injection
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process …
Read moreProcess Injection: Process Doppelgänging
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data …
Read moreRootkit
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, …
Read moreVirtualization/Sandbox Evasion: Time Based Evasion
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
… Read moreRetrieve HDD Information
Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space.
Malware uses this trick to avoid getting caught. It does this by using a special command …
Read moreIsDebuggerPresent
This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
If you want to understand the underlying process of IsDebuggerPresent API you can check the code snippet section for the following method: IsDebugged …
Read moreOutputDebugString
This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.
It is possible to use OutputDebugString in addition of GetLastError / SetLastError to detect debugger presence.
Read moreINT3 Instruction Scanning
Instruction INT3 is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value 0xCC (INT3 / Breakpoint Interrupt).
The exception EXCEPTION_BREAKPOINT (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the …