Unprotect Navbar Version Logo
  • Home
  • Techniques
  • Scan
  • Resources
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • Avatar Login

Search For Content

Clear

Search Result

106 item(s) found so far for this keyword.

Pre-OS Boot: Bootkit
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and …

Read more

Process Injection: Extra Window Memory Injection
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.

Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate …

Read more

Process Injection: Process Doppelgänging
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data …

Read more

System Binary Proxy Execution: InstallUtil
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and …

Read more

Constant Blinding
Data Obfuscation icon
Data Obfuscation

Constant blinding can be employed by malware authors to obfuscate their malicious code, making it harder for security researchers and antivirus software to detect and analyze the malware. By using constant blinding techniques, the malware code can be concealed, increasing its chances of evading detection and maintaining persistence on the target system.

Here's how constant blinding can be utilized …

Read more

C2 via FTP(S)
Network Evasion icon
Network Evasion

C2 via FTP is a technique that utilizes the File Transfer Protocol (FTP) to establish command and control communication between an attacker and victim systems. It involves sending commands and receiving responses within FTP sessions, effectively using FTP as a conduit for covert communication.

To implement C2 via FTP, an attacker needs control over an FTP server, and must …

Read more

Right-to-Left Override (RLO) Extension Spoofing
Others icon
Others

The Right-to-Left Override (RLO) character (U+202E) is a Unicode control character used for bidirectional text formatting. It affects the way text is displayed, causing text following the RLO character to be rendered from right to left, which is typically used in languages like Arabic and Hebrew.

However, malicious actors have found a way to exploit this Unicode …

Read more

FuncIn
Antivirus/EDR Evasion icon
Antivirus/EDR Evasion
Anti-Debugging icon
Anti-Debugging
Anti-Disassembly icon
Anti-Disassembly
Anti-Forensic icon
Anti-Forensic

FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.

This approach addresses three primary issues in malware development. Firstly, it mitigates …

Read more

PyArmor
Packers icon
Packers

Pyarmor is a command-line tool primarily used for the obfuscation of Python scripts. While its original design aims to protect Python code from unauthorized access and reverse engineering, its capabilities also make it a tool of interest for malware obfuscation. Pyarmor achieves this through several key features, each with potential applications in both legitimate protection and malicious exploitation:

  • …
Read more

NtDelayExecution
Sandbox Evasion icon
Sandbox Evasion
Anti-Debugging icon
Anti-Debugging

NtDelayExecution can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter "DelayInterval", which is the number of milliseconds to delay. Once executed, NtDelayExecution "pauses" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger.

Additionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, …

Read more
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

The #UnprotectProject is brought to you by 🇫🇷 fr0gger_ and 🇫🇷 DarkCoderSc

Terms And Conditions | GDPR

Contribute Now