Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
173 item(s) found so far for this keyword.
Pre-OS Boot: Bootkit Defense Evasion [Mitre]
Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and …
Process Injection: Dynamic-link Library Injection Defense Evasion [Mitre]
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process …
Process Injection: Portable Executable Injection Defense Evasion [Mitre]
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the …
Process Injection: Thread Execution Hijacking Defense Evasion [Mitre]
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced …
Process Injection: Asynchronous Procedure Call Defense Evasion [Mitre]
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.
APC injection is commonly performed by attaching malicious code to the APC Queue of a …
Process Injection: Thread Local Storage Defense Evasion [Mitre]
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process …
Process Injection: Extra Window Memory Injection Defense Evasion [Mitre]
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate …
Process Injection: Process Doppelgänging Defense Evasion [Mitre]
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data …
Subvert Trust Controls: Code Signing Defense Evasion [Mitre]
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity …
Subvert Trust Controls: SIP and Trust Provider Hijacking Defense Evasion [Mitre]
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be …