Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
257 item(s) found so far for this keyword.
INT 0x2D Anti-Debugging
When the instruction INT2D is executed, the exception EXCEPTION_BREAKPOINT is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while INT2D is executed.
ICE 0xF1 Anti-Debugging
ICEBP is an undocumented instruction that serves as a single byte interrupt 1, generating a single step exception. It can be used to detect if the program is traced.
Windows Event Log Evasion via Native APIs Anti-Forensic
Attackers can leverage native Windows API calls to install malicious services without generating correlating entries in the event log. Using native APIs to install services instead of the standard API calls allow attackers to bypass security controls and event logging. This technique was utilised by Stuxnet.
Services are typically created through a standard Windows API call CreateServiceA or CreateService …
FLIRT Signatures Evasion Anti-Disassembly
FLIRT Signature evasion is a technique used by malware to hide malicious code inside legitimate functions from known libraries. FLIRT (Fast Library Identification and Recognition Technology) is a database that contains signature patterns for identifying known functions from legitimate libraries.
Malware authors can abuse these signatures by modifying or adding specific bytes to the code, so that it appears …
DLL Proxying Process Manipulating
DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL.
When a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts …
Hijack Execution Flow: DLL Search Order Hijacking Defense Evasion [Mitre]
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
There are many ways an …
Tamper DLL Export Names & GetProcAddress Spoofing Process Manipulating
When a process is running, it is possible to change the results of the call to GetProcAddress API, for the exported functions of a module along with modifying the export's offsets and name at runtime.
For example, the offset of kernel32.dll's function VirtualAlloc can be change to the offset of another function. When VirtualAlloc is called (after getting its …
Mark-Of-The-Web (MOTW) Bypass Antivirus/EDR Evasion
Mark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer. When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream to indicate from which zone the file originates. It is used on Windows OS to trigger a Windows Defender SmartScreen detection and raise an alert to the user about the file.
…Milfuscator Packers
Milfuscator is a tool used to obfuscate the code in a Portable Executable (PE) file by modifying and expanding the existing code in the ".text" section, without creating any new sections. It does this using the Zydis and AsmJit libraries, and is based on the concept of code mutation from a P2C project for the game Counter-Strike: Global Offensive. The …
Domain Fronting Network Evasion Defense Evasion [Mitre]
Domain fronting is a technique used to hide the true destination of internet traffic. It may be used to hide the real destination of an offensive payload or is could be used to bypass censorship or any form of network restriction. The technique may be used through CDN infrastructure or on any infrastructure that perform separation between SSL and http …