Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
71 item(s) found so far for this keyword.
System Binary Proxy Execution: Odbcconf Defense Evasion [Mitre]
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe …
System Binary Proxy Execution: Regsvcs/Regasm Defense Evasion [Mitre]
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft.
Both utilities may be used to bypass application control through use of attributes within the …
System Binary Proxy Execution: Regsvr32 Defense Evasion [Mitre]
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules …
System Binary Proxy Execution: Verclsid Defense Evasion [Mitre]
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file …
System Binary Proxy Execution: Mavinject Defense Evasion [Mitre]
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). …
System Script Proxy Execution: PubPrn Defense Evasion [Mitre]
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.
…Trusted Developer Utilities Proxy Execution: MSBuild Defense Evasion [Mitre]
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of …
XSL Script Processing Defense Evasion [Mitre]
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages.
Adversaries may abuse this functionality to execute arbitrary files …
RDTSC Anti-Debugging
The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into EDX:EAX.
It will execute RDTSC twice and then calculate the difference between low order values and check it with …
Unhandled Exception Filter Anti-Debugging
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter function will be called. It is possible to register a custom unhandled exception filter …