Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
145 item(s) found so far for this keyword.
LocalSize(0) Anti-Debugging
The function LocalSize retrieves the current size of the specified local memory object, in bytes. By setting the hMem parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.
Volume Shadow Copy Service (VSC,VSS) Deletion Anti-Forensic Defense Evasion [Mitre]
Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.
On the other hand, deleting by using vssadmin and WMIC is on a file system level, the …
AddVectoredExceptionHandler Anti-Debugging
The AddVectoredExceptionHandler technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler) to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP …
Hyper-V Signature Sandbox Evasion
Hyper-V has a signature value of "Hv#1" in eax if leaf 0x40000001 is provided to CPUID.
WMI Event Subscriptions Sandbox Evasion
Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real …