Search For Content
Search Result
168 item(s) found so far for this keyword.
Right-to-Left Override (RLO) Extension Spoofing
The Right-to-Left Override (RLO) character (U+202E) is a Unicode control character used for bidirectional text formatting. It affects the way text is displayed, causing text following the RLO character to be rendered from right to left, which is typically used in languages like Arabic and Hebrew.
However, malicious actors have found a way to exploit this Unicode …
Read moreSMB / Named Pipes
Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, …
Read moreProcess Argument Spoofing
Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started.
--windows-- This is done by tampering with the Process Environment Block (PEB).
The PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's …
Read moreFuncIn
FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.
This approach addresses three primary issues in malware development. Firstly, it mitigates …
Read moreNixImports
A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type …
Read moreRuntime Function Decryption
This technique is used to store the function body in an encrypted form. They will only be decrypted just before the execution of that code and will be re-encrypted after the code has been executed.
This technique is used by SmokeLoader to evade anti-virus and EDRs, since the function body is in encrypted form except at the time of …
Read moreCronos-Crypter
Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An …
Read moreVboxEnumShares
This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...) approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum and WNetEnumResource functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or …
WinDefAVEmu_goatfiles
Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator.
Read morebochs CPU oversights evasion
bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:
bochs may have invalid CPU brands that don't exist.
- For AMD CPUs, the "p" in "processor" should be in capital, which bochs doesn't implement.
- AMD CPUs have easter eggs for their K7 and K8 CPUs ("IT'S …