Volume Shadow Copy Service (VSC,VSS) Deletion Anti-Forensic Defense Evasion [Mitre]

Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.

On the other hand, deleting by using vssadmin and WMIC is on a file system level, the …

Anti-UPX Unpacking Others

Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header …

DTPacker Packers

DTPacker is a .NET packer or downloader which although seeing considerable variety in the first stage, uses a second stage with a fixed password as part of the decoding.

The main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker uses both …

CryptOne Packers

A packing software called CryptOne became popular among some major threat actors. It was first reported by Fox-IT that the group behind Wastedlocker has begun using it, as well as Netwalker, Gozi ISFB v3, ZLoader, Emotet, Dridex, and Smokeloader.

Hijack Execution Flow: DLL Search Order Hijacking Defense Evasion [Mitre]

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an …

Mark-Of-The-Web (MOTW) Bypass Antivirus/EDR Evasion

Mark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer. When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream to indicate from which zone the file originates. It is used on Windows OS to trigger a Windows Defender SmartScreen detection and raise an alert to the user about the file.

…

Homograph Attack (Punycode) Network Evasion

A homograph attack is a type of phishing attack that uses homoglyphs (characters that look similar to other characters) to create domain names or URLs that appear to be legitimate, but are actually controlled by an attacker. Homograph attacks take advantage of the fact that many languages have characters that are visually similar to characters used in other languages.

…

Unloading Module with FreeLibrary Antivirus/EDR Evasion

Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.

To do this, the malware first uses the GetModuleHandleA function to retrieve a handle to the DLL, …

ScrubCrypt Packers

ScrubCrypt is a malware obfuscation and encryption framework, derived from the earlier JLaive Batchfuscator crypter. It is designed to aid cybercriminals in evading detection and analysis by using a variety of techniques to conceal and protect the malicious software.

ScrubCrypt is advertised on cybercrime forums to employ encryption, code morphing, and (allegedly) polymorphism to create obfuscated malware payloads that …

Hell's Gate Antivirus/EDR Evasion

The Hell's Gate technique refers to a specific method used by malware authors to make their software more difficult to detect and analyze. The technique involves the use of a custom native API resolver to resolve Windows API functions at runtime dynamically.

By using Hell's Gate, malware can avoid referencing the Windows API functions directly in the Import Address …

Search Evasion Techniques

Search Result