Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
249 item(s) found so far for this keyword.
VboxEnumShares Sandbox Evasion
This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...)
approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum
and WNetEnumResource
functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or …
WinDefAVEmu_goatfiles Sandbox Evasion
Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator.
Al-Khaser_WriteWatch Anti-Debugging
Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes.
VBA Purging Antivirus/EDR Evasion
VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with …
SMSW Sandbox Evasion
Stores the machine status word into the destination operand.
STR Sandbox Evasion
Stores the segment selector from the Task Register (TR).
CPUID Sandbox Evasion
The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.
You can use the CPUID instruction to retrieve various pieces of information about …
IN Sandbox Evasion
The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception.
However, some virtual machine monitors, such as VMWare, use a special port called …
Checking Recent Office Files Sandbox Evasion
Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.
Checking Installed Software Sandbox Evasion
By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.
This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis but …