Search For Content
Search Result
176 item(s) found so far for this keyword.
DTPacker
DTPacker is a .NET packer or downloader which although seeing considerable variety in the first stage, uses a second stage with a fixed password as part of the decoding.
The main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker uses both …
Read moreCloudEye/DarkEye
CloudEyE, an evolved version of DarkEyE, allows threat actors to use different types of malware of their choice and make it undetectable to anti-virus solutions. This program is being sold by legitimate Italian company which markets it as a tool for developers that want to protect their program from piracy and reverse engineering. The tutorials published and forum posts about …
Read moreFLIRT Signatures Evasion
FLIRT Signature evasion is a technique used by malware to hide malicious code inside legitimate functions from known libraries. FLIRT (Fast Library Identification and Recognition Technology) is a database that contains signature patterns for identifying known functions from legitimate libraries.
Malware authors can abuse these signatures by modifying or adding specific bytes to the code, so that it appears …
Read moreDLL Proxying
DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL.
When a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts …
Read moreMark-Of-The-Web (MOTW) Bypass
Mark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer. When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream to indicate from which zone the file originates. It is used on Windows OS to trigger a Windows Defender SmartScreen detection and raise an alert to the user about the file.
… Read moreAvoiding Memory Scanners (Yara, Pe-sieve...)
Avoiding Memory Scanners is a technique that enables malware creators to bypass the detection of endpoint security software and reverse engineers by using memory scanning to locate shellcode and malware in Windows memory.
The technique involves understanding how memory scanners work and implementing a stable evasion method for each of the memory scanning tools, such as PE-sieve, MalMemDetect, Moneta, …
Read moreHide Artifacts: Email Hiding Rules
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell …
Read moreDebugger Evasion
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, …
Read moreDeobfuscate/Decode Files or Information
Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is use of certutil to …
Read moreImpair Defenses: Disable or Modify Tools
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable …
Read more