Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
7 item(s) found so far for this keyword.
Dirty Vanity Process Manipulating
Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.
It uses the RtlCreateProcessReflection
or NtCreateProcess[Ex]
primitives, along with the PROCESS_VM_OPERATION
, PROCESS_CREATE_THREAD
, and PROCESS_DUP_HANDLE
flags to reflect and execute code in a new process.
The technique also makes use of various methods, …
Process Injection: Dynamic-link Library Injection Defense Evasion [Mitre]
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process …
Process Injection: Portable Executable Injection Defense Evasion [Mitre]
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the …
Process Injection: Thread Execution Hijacking Defense Evasion [Mitre]
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced …
Process Injection: Process Hollowing Defense Evasion [Mitre]
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. …
Process Hollowing, RunPE Process Manipulating
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess
: in a suspended mode with the CreationFlag at 0x0000 0004.…
PE Injection Process Manipulating
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling CreateRemoteThread
).
One advantage of PE injection over the LoadLibrary
technique is that the malware does not have to drop a malicious DLL on the disk. The …