Impair Defenses: Impair Command History Logging Defense Evasion [Mitre]

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

Traffic Signaling: Socket Filters Defense Evasion [Mitre]

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through …

Virtualization/Sandbox Evasion: System Checks Defense Evasion [Mitre]

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …

SMB / Named Pipes Network Evasion

Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, …

Base64 Data Obfuscation

Base64 is a simple encoding scheme that is often used by malware to represent binary data in an ASCII string. This allows the malware to encode and transmit binary data, such as a payload or network traffic, in a way that is more compact and easier to transmit over text-based communication channels.

Base64 uses a 64-character alphabet to encode …

NOP Sled Anti-Disassembly

In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will "slide" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution …

Malvertising Others

Malvertising is a type of cyber attack that involves using online advertising as a means to spread malware. This is attractive to attackers because it allows them to easily reach a large number of users without having to directly compromise the websites hosting the ads. The ads themselves can be inserted into reputable and high-profile websites, which can help attackers …

Execution Guardrails: Environmental Keying Defense Evasion [Mitre]

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving …

MPRESS Packers

MPRESS is a free packer. It makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.

It uses in-place decompression technique, which allows to decompress the executable without memory overhead or other drawbacks; it also protects programs against reverse engineering by non-professional hackers. Programs compressed with MPRESS …

Themida Packers

Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...

Anti-debugger techniques that detect/fool any kind of debugger
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
Different encryption algorithms and keys in each protected application
Anti-API scanners techniques that avoids reconstruction …

Search Evasion Techniques

Search Result