Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
70 item(s) found so far for this keyword.
Use Alternate Authentication Material: Pass the Hash Defense Evasion [Mitre]
Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that …
Use Alternate Authentication Material: Pass the Ticket Defense Evasion [Mitre]
Adversaries may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
When …
Valid Accounts: Default Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the …
Valid Accounts: Domain Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Adversaries may …
Valid Accounts: Local Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials …
Checking Pipe Sandbox Evasion
Cuckoo is a malware analysis system that uses a named pipe, called \.\pipe\cuckoo, for communication between the host system (where the malware is being analyzed) and the guest system (where the malware is running).
A malware that is running on the guest system can detect the presence of a virtual environment by attempting to access the \.\pipe\cuckoo named pipe. …
Detecting USB Drive Sandbox Evasion
To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.
CsrGetProcessID Anti-Debugging
This function is undocumented within OpenProcess. It can be used to get the PID of CRSS.exe, which is a SYSTEM process. By default, a process has the SeDebugPrivilege privilege in their access token disabled.
However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the SeDebugPrivilege privilege is enabled. If a process is able …
Obscuring Control Flow Using Pointers Anti-Disassembly
The use of pointers in a program can be an issue for disassemblers, because pointers can be used in complex ways that are difficult for the disassembler to accurately interpret. This can make it more difficult for the disassembler to generate correct disassembly output, and can also make it more difficult for analysts to understand the program's behavior.
Pointers …
XOR Operation Data Obfuscation
The XOR operation is a common technique used by malware to hide data. This is because it is a simple and reversible function, meaning that the same operation can be used to both encode and decode data. In the XOR operation, a key is used to create a ciphertext, which is then used to encrypt the original data.
The …