Search Evasion Techniques
Names, Techniques, Definitions, Keywords
30 item(s) found so far for this keyword.
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor …
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to …
Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as
svchost.exe, and placing it in a legitimate folder.
Masquerading can occur when the name or location of an executable, whether …
Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.
GetThreadContext: retrieves the …
Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.
The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of …
Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the
EnumProcess function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system.
By detecting these processes and …
This function is undocumented within
OpenProcess. It can be used to get the PID of CRSS.exe, which is a
SYSTEM process. By default, a process has the
SeDebugPrivilege privilege in their access token disabled.
However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the
SeDebugPrivilege privilege is enabled. If a process is able to …
Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it.
For example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored by …
This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the
ProcessDebugPort (0x7) information class.
A nonzero value returned by the call indicates that the process is being debugged.