Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
299 item(s) found so far for this keyword.
Clearing Kernel Message Anti-Forensic
The dmesg -C command clears the kernel message buffer, which stores diagnostic messages generated by the kernel. These messages include logs about hardware interactions, system events, kernel module loads, and errors such as segmentation faults. The attacker can run this command to make sure that no trace of kernel-related activity, including any anomalies caused by exploitation, remains in the message …
Manipulating Debug Logs Anti-Forensic
Using the sed -i command, specific entries in debug logs, such as errors (segfault, SystemError) or trace information (e.g., filenames like main.cc), are surgically removed. This allows attackers to target only incriminating evidence without erasing the entire log file. The process preserves the structure and authenticity of the log while removing key evidence of exploitation or system errors.
…
Deleting Troubleshoot Information and Core Dumps Anti-Forensic
Commands like rm -rf /data/var/statedumps/* and rm -rf /data/var/cores/* delete state dumps and core dumps, which are generated when processes crash. These files contain memory snapshots, stack traces, and runtime states of processes at the time of failure. They are often used to debug and understand the causes of crashes or application malfunctions.
Attackers use this technique to eliminate …
Indirect Memory Writing Antivirus/EDR Evasion
In code-injection scenarios, for example, when a loader places a payload into memory for execution, many antimalware engines detect or block malicious activity at the moment the payload bytes are written into the newly allocated executable memory region. Attackers may try to evade such detection by avoiding direct writes to new memory region and instead relying on other, legitimate Windows …
Detecting Mac Address Sandbox Evasion
Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.
- The usual mac address used by Virtualbox starts with the following number: 08:00:27.
- The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.
Malware can use this simple trick to detect if it is running …
Detecting Virtual Environment Process Sandbox Evasion
Process related to Virtualbox can be detected by malware by query the process list.
The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.
Detecting Virtual Environment Files Sandbox Evasion
Some files are created by Virtualbox and VMware on the system.
Malware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.
Malware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.
Some Files Example
Below is a list of files that can be detected on virtual machines:
- "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\agent.pyw", …
SLDT, No Pill Sandbox Evasion
The No Pill technique is a method used by malware to determine whether it is running on a physical machine or a virtual machine. This technique relies on the fact that the Local Descriptor Table (LDT) is assigned to a processor, rather than to an operating system. On a physical machine, the location of the LDT will be zero, whereas …
SMSW Sandbox Evasion
Stores the machine status word into the destination operand.
STR Sandbox Evasion
Stores the segment selector from the Task Register (TR).