• Home
  • Search
  • Map
  • Scan
  • Resources
    • Technique List
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • API
    • Unprotect API
    • API Documentation
  • Avatar Login

Search Evasion Techniques

Names, Techniques, Definitions, Keywords

Clear

Search Result

30 item(s) found so far for this keyword.

Subvert Trust Controls: SIP and Trust Provider Hijacking Defense Evasion [Mitre]

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be …

Virtualization/Sandbox Evasion: System Checks Defense Evasion [Mitre]

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …

Detecting Virtual Environment Artefacts Sandbox Evasion

Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\\Description\\System with a value of SystemBiosVersion and data of QEMU.

The VirtualBox Guest addition leaves many …

COM Hijacking Process Manipulating

COM hijacking is a technique used by adversaries to insert malicious code into the Windows operating system through the Microsoft Component Object Model (COM).

COM is a system that allows software components to interact with each other, and adversaries can abuse this system to execute their own code in place of legitimate software. To achieve this, they alter references …

Themida Packers

Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...

  • Anti-debugger techniques that detect/fool any kind of debugger

  • Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers

  • Different encryption algorithms and keys in each protected application

  • Anti-API scanners techniques that avoids reconstruction …

Windows Event Log Evasion via Native APIs Anti-Forensic

Attackers can leverage native Windows API calls to install malicious services without generating correlating entries in the event log. Using native APIs to install services instead of the standard API calls allow attackers to bypass security controls and event logging. This technique was utilised by Stuxnet.

Services are typically created through a standard Windows API call CreateServiceA or CreateService …

Hijack Execution Flow: DLL Search Order Hijacking Defense Evasion [Mitre]

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an …

Hide Artifacts: Hidden Users Defense Evasion [Mitre]

Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.

Adversaries may hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows …

Hijack Execution Flow: Path Interception by Unquoted Path Defense Evasion [Mitre]

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Service paths and shortcut paths may also be vulnerable to path interception if the …

Hijack Execution Flow: COR_PROFILER Defense Evasion [Mitre]

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, …

  • 1
  • 2
  • 3

The #UnprotectProject is brought to you by 🇫🇷 fr0gger_ and 🇫🇷 DarkCoderSc

Terms And Conditions | Cookie Policy | Cookies preferences | GDPR

Contribute Now