Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
172 item(s) found so far for this keyword.
Checking Installed Software Sandbox Evasion
By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.
This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …
Detecting Hostname, Username Sandbox Evasion
Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.
Detecting USB Drive Sandbox Evasion
To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.
Evading Hash Signature Antivirus/EDR Evasion
AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary can sometimes allow the sample to evade hash detection. This technique is unlikely to work anymore.
Evading Specific Signature Antivirus/EDR Evasion
Some signatures are specifically designed to catch an exploit or a specific behaviour. By reversing the signature, it is possible to modify the malware to evade the signature. For example, by changing the size of the payload matching, or by changing the file's header.
Fingerprinting Emulator Antivirus/EDR Evasion
Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.
Bypassing Static Heuristic Antivirus/EDR Evasion
Dynamic heuristic engines are implemented in the form of hooks (in user-land or kernel-land) or based on emulation. User-land hooks (HIPS) can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.
Disabling Antivirus Antivirus/EDR Evasion
Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..
Adding antivirus exception Antivirus/EDR Evasion
Another way for a malware is to add an exception into the antivirus.
Fake Signature Antivirus/EDR Evasion
Every exe file contain metadata that allow users to trust the third party that distribute the program. Malware are able to usurp the metadata in order to fool the user but also the security tools.