Search For Content
Search Result
5 item(s) found so far for this keyword.
WMI Event Subscriptions
Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real …
Read moreExtra Window Memory Injection
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).
Registration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each …
Read moreCPU Counting
In many sandboxes, due to virtualization constraints, the number of CPUs may be limited to one. However, in the real world, all x86 CPUs have been sold with multiple cores or at least hyperthreading for over a decade.
As a result, it is sometimes possible to detect virtualization or sandboxing by examining the number of CPUs on the system. …
Read moreVolume Shadow Copy Service (VSC,VSS) Deletion
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.
On the other hand, deleting by using vssadmin and WMIC is on a file system level, the …
Read moreXSL Script Processing
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages.
Adversaries may abuse this functionality to execute arbitrary files …
Read more