Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
46 item(s) found so far for this keyword.
.Net Reactor Packers
.NET Reactor is used to prevent reverse engineering by adding different protection layers to .NET assemblies. Beside standard obfuscation techniques it includes special features like NecroBit, Virtualization, x86 Code Generation or Anti Tampering.
Domain Member Sandbox Evasion
This technique determines if a host is a member of an Active Directory Domain without API calls. It helps prevent malicious payload execution in enterprise sandboxes that are not members of an Active Directory domain. The validation is done by checking the "LoggonServer" and "ComputerName" environment variables. If the host is logged into a domain controller, the "LoggonServer" value will …
Hide Artifacts: Hidden Files and Directories Defense Evasion [Mitre]
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users …
Hide Artifacts: Hidden Users Defense Evasion [Mitre]
Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Adversaries may hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList …
Hijack Execution Flow: Executable Installer File Permissions Weakness Defense Evasion [Mitre]
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten …
Hijack Execution Flow: Services File Permissions Weakness Defense Evasion [Mitre]
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory …
Indicator Removal: Clear Persistence Defense Evasion [Mitre]
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.
In some instances, artifacts of persistence may also be removed …
Indirect Command Execution Defense Evasion [Mitre]
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd.
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage …
Obfuscated Files or Information: Steganography Defense Evasion [Mitre]
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image …
Process Injection: Extra Window Memory Injection Defense Evasion [Mitre]
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance …