• Home
  • Search
  • Map
  • Scan
  • Resources
    • Technique List
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • API
    • Unprotect API
    • API Documentation
  • Avatar Login

Search Evasion Techniques

Names, Techniques, Definitions, Keywords

Clear

Search Result

11 item(s) found so far for this keyword.

Detecting Running Process: EnumProcess API Sandbox Evasion Anti-Debugging Anti-Monitoring

Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the EnumProcess function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system.

By detecting these processes …

Parent Process Detection Anti-Monitoring

Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it.

For example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored …

Kill Process Anti-Monitoring

Malware often employs techniques to evade detection and hinder the efforts of security experts in analyzing its behavior. One notable method involves terminating processes associated with anti-virus software or monitoring tools.

For example, malware may specifically target processes like wireshark.exe, ida.exe, or procmon.exe, which are frequently used by analysts to observe and scrutinize running processes on a system. By …

Access Token Manipulation: Parent PID Spoofing Process Manipulating Defense Evasion [Mitre]

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.

One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the …

Direct Volume Access Defense Evasion [Mitre]

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools.

Utilities, …

Reflective DLL injection Process Manipulating

Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a LoadLibrary function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.

…

DNS API Injection Process Manipulating

DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code …

Masquerading: Rename System Utilities Defense Evasion [Mitre]

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a …

C2 via FTP(S) Network Evasion

C2 via FTP is a technique that utilizes the File Transfer Protocol (FTP) to establish command and control communication between an attacker and victim systems. It involves sending commands and receiving responses within FTP sessions, effectively using FTP as a conduit for covert communication.

To implement C2 via FTP, an attacker needs control over an FTP server, and must …

SMB / Named Pipes Network Evasion

Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, …

  • 1
  • 2

The #UnprotectProject is brought to you by 🇫🇷 DarkCoderSc and 🇫🇷 fr0gger_

Terms And Conditions | Cookie Policy | Cookies preferences | GDPR

Contribute Now