Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
299 item(s) found so far for this keyword.
Process Reimaging Process Manipulating
Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.
The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability …
RDTSCP Sandbox Evasion
Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen).
This instruction can be used to calculate the …
ConsoleWindowClass Process Manipulating
One method that has been used to achieve process injection is by manipulating the User Data of a window object.
The User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the SetWindowLongPtr API and the GWLP_USERDATA parameter. In the …
CLIPBRDWNDCLASS Process Manipulating
CLIPBRDWNDCLASS is a window class that is registered by the Object Linking & Embedding (OLE) library (ole32.dll) to handle clipboard data. When a window of this class is created, it is assigned a number of window properties that store the addresses of various interfaces that are used to process clipboard data. These interfaces include the ClipboardDataObjectInterface, ClipboardRootDataObjectInterface, and …
Anti Yara Rules Others
Yara rules are used by malware researchers to identify and classify malware based on specific characteristics and behaviors. These rules are powerful because they allow researchers to quickly and accurately detect malware, even if it has been modified to avoid detection. However, attackers can also modify their malware to avoid detection by Yara rules.
This is often seen with …
Debug Registers, Hardware Breakpoints Anti-Debugging
Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.
LocalSize(0) Anti-Debugging
The function LocalSize retrieves the current size of the specified local memory object, in bytes. By setting the hMem parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.
Process Herpaderping Process Manipulating
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of …
Access Token Manipulation: Parent PID Spoofing Process Manipulating Defense Evasion [Mitre]
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.
One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the …
User Interaction (Are you human?) Sandbox Evasion
You can get an advantage against sandboxes by using user interaction techniques. For example, The average user has a username and password and as long as the user you are targeting does not enter their password correctly, you can prevent your malware execution and bypass the possible sandbox control.