Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
175 item(s) found so far for this keyword.
BuildCommDCBAndTimeoutA Sandbox Evasion
This technique uses a BuildCommDCBAndTimeoutsA
API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.
BlockInput Others
As per Microsoft's documentation, BlockInput
function "prevents keyboard and mouse input events from reaching applications," effectively restricting user interaction with the system.
Malware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to BlockInput
with the parameter 0. Windows automatically …
NtDelayExecution Sandbox Evasion Anti-Debugging
NtDelayExecution can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter "DelayInterval", which is the number of milliseconds to delay. Once executed, NtDelayExecution "pauses" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger.
Additionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, …
VboxEnumShares Sandbox Evasion
This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...)
approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum
and WNetEnumResource
functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or …
WinDefAVEmu_goatfiles Sandbox Evasion
Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator.
VBA Purging Antivirus/EDR Evasion
VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with …
Replication Through Removable Media Defense Evasion [Mitre] Others
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.
Default Windows Wallpaper Check Sandbox Evasion
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. In this particular case, the malware checks to see if the wallpaper set on the machine is the default Windows …
Exfiltration via SMTP Network Evasion
Exfiltration via SMTP is a technique where attackers leverage the Simple Mail Transfer Protocol (SMTP) to exfiltrate data. This method involves sending stolen data, such as sensitive files or system information, via email to an attacker-controlled email account. By using email traffic, attackers can often bypass traditional network monitoring solutions since SMTP traffic is usually deemed legitimate.
To execute …
kernel flag inspection via sysctl Anti-Debugging
The sysctl
anti-debugging technique can be abused by malware to detect and evade debugging tools on macOS or BSD-like systems. By querying the kernel for process information, malware checks flags (e.g., 0x800
) to see if a debugger is attached. If detected, the malware can terminate, alter behavior, or enter a dormant state to avoid analysis.
This technique blends …