Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
99 item(s) found so far for this keyword.
NOP Sled Anti-Disassembly
In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will "slide" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution …
DNS Tunneling Network Evasion Defense Evasion [Mitre]
DNS tunneling is a technique that uses the Domain Name System (DNS) protocol to transfer data in an encrypted and covert manner. It involves encoding the data of other programs or protocols in DNS queries and responses, and using DNS servers as a means of communication.
To carry out DNS tunneling, the attacker typically needs access to a compromised …
Process Reimaging Process Manipulating
Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.
The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability …
RDTSCP Sandbox Evasion
Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen).
This instruction can be used to calculate the …
ConsoleWindowClass Process Manipulating
One method that has been used to achieve process injection is by manipulating the User Data of a window object.
The User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the SetWindowLongPtr API and the GWLP_USERDATA parameter. In the …
Treepoline Process Manipulating
Tree-view controls are a type of user interface element that is used to display hierarchical data in a graphical user interface (GUI). They are commonly used in Windows applications and allow users to navigate and explore complex data structures.
To display its content, a tree-view control must sort the items it shows. The sorting routine for a tree-view control …
OLEUM Process Manipulating
Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they …
Breaking BaDDEr Process Manipulating
Dynamic Data Exchange (DDE) is a protocol that allows applications to share data with each other. The Dynamic Data Exchange Management Library (DDEML) is a set of functions that facilitate data sharing using the DDE protocol. DDE and DDEML are commonly used in Microsoft Office to enable data to be shared between applications. In October 2017, a vulnerability was discovered …
Process Herpaderping Process Manipulating
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of …
Process Ghosting Process Manipulating
Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded.
Windows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with FILE_WRITE_DATA (to modify it) will fail with ERROR_SHARING_VIOLATION. Deletion attempts via FILE_DELETE_ON_CLOSE/FILE_FLAG_DELETE_ON_CLOSE fail with …