Search For Content
Search Result
299 item(s) found so far for this keyword.
NixImports
A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type …
Read moreLimeCrypter
Limecrypter is a sophisticated obfuscation tool designed for both native and .NET files. It employs a unique approach to secure payloads by encrypting them within a .NET-based stub. This stub acts as a container for the encrypted payload, ensuring its contents remain concealed until execution.
Read moreHyper-V Signature
Hyper-V has a signature value of "Hv#1" in eax if leaf 0x40000001 is provided to CPUID.
Odd Thread Count
The thread count of the CPU must be an even number, which allows us to detect whether the thread count has been modified through the VM creation stage. If the thread count is not an even number, this is a sign of thread tampering (with a few exceptions which are already covered).
Read moreCronos-Crypter
Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An …
Read moreAl-Khaser_WriteWatch
Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes.
Read morebochs CPU oversights evasion
bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:
bochs may have invalid CPU brands that don't exist.
- For AMD CPUs, the "p" in "processor" should be in capital, which bochs doesn't implement.
- AMD CPUs have easter eggs for their K7 and K8 CPUs ("IT'S …
QEMU CPU brand evasion
QEMU has the CPU brand value of "QEMU Virtual CPU" if KVM is not based on the VM
Read moreWMI Event Subscriptions
Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real …
Read more