Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
52 item(s) found so far for this keyword.
Onset Delay Sandbox Evasion
Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.
The purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis …
Volume Shadow Copy Service (VSC,VSS) Deletion Anti-Forensic Defense Evasion [Mitre]
Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.
On the other hand, deleting by using vssadmin and WMIC is on a file system level, the …
BobSoft Mini Delphi Packer Packers
The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application "look legit" during dynamic analysis.
The packer goes to great lengths to ensure that it is not running in an …
Indicator Removal: File Deletion Defense Evasion [Mitre]
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a …
Obfuscated Files or Information: Compile After Delivery Defense Evasion [Mitre]
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.
Source code payloads may also be encrypted, encoded, and/or …
NtDelayExecution Sandbox Evasion Anti-Debugging
NtDelayExecution can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter "DelayInterval", which is the number of milliseconds to delay. Once executed, NtDelayExecution "pauses" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger.
Additionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, …
COM Hijacking Process Manipulating
COM hijacking is a technique used by adversaries to insert malicious code into the Windows operating system through the Microsoft Component Object Model (COM).
COM is a system that allows software components to interact with each other, and adversaries can abuse this system to execute their own code in place of legitimate software. To achieve this, they alter references …
Fast Flux Network Evasion
Fast flux is a technique used by botnets to conceal the location of their phishing and malware delivery sites by using a constantly changing network of compromised hosts as proxies. This makes it difficult for law enforcement and other security actors to track down and shut down the sites, as the IP addresses of the sites are constantly changing.
…
File Melt Others
File melting is a technique that malware uses to delete itself after it has been installed on a system. This is often done in order to avoid detection by antivirus programs or other security measures. The process of file melting involves overwriting the file with random data, making it impossible to recover the original file or to detect the presence …
Domain Policy Modification: Group Policy Modification Defense Evasion [Mitre]
Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies.
…