Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
157 item(s) found so far for this keyword.
FuncIn Antivirus/EDR Evasion Anti-Debugging Anti-Disassembly Anti-Forensic
FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.
This approach addresses three primary issues in malware development. Firstly, it mitigates …
NixImports Packers
A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type …
Runtime Function Decryption Antivirus/EDR Evasion
This technique is used to store the function body in an encrypted form. They will only be decrypted just before the execution of that code and will be re-encrypted after the code has been executed.
This technique is used by SmokeLoader to evade anti-virus and EDRs, since the function body is in encrypted form except at the time of …
Cronos-Crypter Packers
Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An …
VboxEnumShares Sandbox Evasion
This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...) approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum and WNetEnumResource functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or …
WinDefAVEmu_goatfiles Sandbox Evasion
Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator.
bochs CPU oversights evasion Sandbox Evasion
bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:
bochs may have invalid CPU brands that don't exist.
- For AMD CPUs, the "p" in "processor" should be in capital, which bochs doesn't implement.
- AMD CPUs have easter eggs for their K7 and K8 CPUs ("IT'S …
VBA Purging Antivirus/EDR Evasion
VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with …
Replication Through Removable Media Defense Evasion [Mitre] Others
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.
Event Triggered Execution: Linux Inotify Process Manipulating
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.