Search Evasion Techniques
Names, Techniques, Definitions, Keywords
7 item(s) found so far for this keyword.
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or …
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry …
Image File Execution Options Injection, also known as IFEO Injection, is a technique used by malware to evade detection and persist on a compromised system.
The technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating …
Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key
HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 with the value of
Identifier and the data of
HARDWARE\\Description\\System with a value of
SystemBiosVersion and data of
The VirtualBox Guest addition leaves many artifacts …
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.
In some instances, artifacts of persistence may also be removed …
Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.
There are two ways to accomplish this technique:
1. Calling the
SetThreadLocale function and setting up an export function named
NlsDllCodePageTranslation, where the main payload …
Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments …