Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
257 item(s) found so far for this keyword.
Modify Authentication Process: Hybrid Identity Defense Evasion [Mitre]
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, …
Modify Registry Defense Evasion [Mitre]
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local …
Obfuscated Files or Information: Steganography Defense Evasion [Mitre]
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an …
Obfuscated Files or Information: Compile After Delivery Defense Evasion [Mitre]
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.
Source code payloads may also be encrypted, encoded, and/or …
Obfuscated Files or Information: HTML Smuggling Defense Evasion [Mitre]
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files …
Obfuscated Files or Information: Dynamic API Resolution Defense Evasion [Mitre]
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
API functions called by malware may leave static artifacts such as strings …
Obfuscated Files or Information: Stripped Payloads Defense Evasion [Mitre]
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and …
Obfuscated Files or Information: Embedded Payloads Defense Evasion [Mitre]
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.
Adversaries …
Pre-OS Boot: Component Firmware Defense Evasion [Mitre]
Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability …
Pre-OS Boot: Bootkit Defense Evasion [Mitre]
Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and …