Search For Content
Search Result
131 item(s) found so far for this keyword.
File Melt
File melting is a technique that malware uses to delete itself after it has been installed on a system. This is often done in order to avoid detection by antivirus programs or other security measures. The process of file melting involves overwriting the file with random data, making it impossible to recover the original file or to detect the presence …
Read moreDetecting Online Sandbox
Online sandboxes are widely used for malware analysis. To evade detection, many malware families implement checks to identify if they are running in such environments. Below are examples of detection techniques for Any.Run and Tria.ge.
Detecting Any.Run
-
Any.Run uses a fake root certificate to spy on sandbox traffic. System information can be obtained by querying …
Disabling Event Tracing for Windows (ETW)
Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll.
Since ntdll.dll is a DLL loaded into …
Read moreChange Module Name at Runtime
It is possible to change the name of the current process or any of its modules at runtime. This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member 'InOrderMemoryLinks' which we can iterate through to get a list of the process's modules.
On each iteration it gets a PLDR_DATA_TABLE_ENTRY structure to work with …
Change Module Base Address at Runtime
It is possible to change the DllBase of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address.
This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member InOrderMemoryLinks which we can iterate through to get …
Tamper DLL Export Names & GetProcAddress Spoofing
When a process is running, it is possible to change the results of the call to GetProcAddress API, for the exported functions of a module along with modifying the export's offsets and name at runtime.
For example, the offset of kernel32.dll's function VirtualAlloc can be change to the offset of another function. When VirtualAlloc is called (after getting its …
Access Token Manipulation: Token Impersonation/Theft
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to …
Read moreHijack Execution Flow: DLL Side-Loading
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application …
Read moreHijack Execution Flow: Executable Installer File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten …
Read moreHijack Execution Flow: Path Interception by Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Service paths and shortcut paths may also be vulnerable to path interception if the …
Read more