Defense Evasion [Mitre]

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).

Rundll32.exe can also be used to …

Others

The Right-to-Left Override (RLO) character (U+202E) is a Unicode control character used for bidirectional text formatting. It affects the way text is displayed, causing text following the RLO character to be rendered from right to left, which is typically used in languages like Arabic and Hebrew.

However, malicious actors have found a way to exploit this Unicode …

Anti-Debugging

An EventPair Object is an event constructed by two _KEVENT structures which are conventionally named High and Low.

There is a relation between generic Event Objects and Debuggers because they must create a custom event called DebugEvent able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a …

Anti-Disassembly

API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead …

Process Manipulating

Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a LoadLibrary function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.

…