Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
52 item(s) found so far for this keyword.
Modify Authentication Process: Domain Controller Authentication Defense Evasion [Mitre]
Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through …
Modify Authentication Process: Multi-Factor Authentication Defense Evasion [Mitre]
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be …
Modify Authentication Process: Hybrid Identity Defense Evasion [Mitre]
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, …
Use Alternate Authentication Material: Pass the Hash Defense Evasion [Mitre]
Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that …
Use Alternate Authentication Material: Pass the Ticket Defense Evasion [Mitre]
Adversaries may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
When …
Valid Accounts: Default Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the …
SMB / Named Pipes Network Evasion
Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, …
PyArmor Packers
Pyarmor is a command-line tool primarily used for the obfuscation of Python scripts. While its original design aims to protect Python code from unauthorized access and reverse engineering, its capabilities also make it a tool of interest for malware obfuscation. Pyarmor achieves this through several key features, each with potential applications in both legitimate protection and malicious exploitation:
- …
BuildCommDCBAndTimeoutA Sandbox Evasion
This technique uses a BuildCommDCBAndTimeoutsA API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.
Cronos-Crypter Packers
Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An …