Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
249 item(s) found so far for this keyword.
Thermal Zone Temperature Sandbox Evasion
The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: "25.05 C: 77.09 F: 298.2K". But for a fully virtualized environment, the return is "MSAcpi_ThermalZoneTemperature not supported" because this feature is not supported on virtualized processors.
Interestingly, this method is not valid. Not all Windows …
Bypass User Account Control Defense Evasion [Mitre]
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.
The impact to the user ranges from denying the operation under high enforcement to …
Access Token Manipulation: Parent PID Spoofing Process Manipulating Defense Evasion [Mitre]
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.
One way of explicitly assigning the PPID of a new process is via the CreateProcess
API call, which supports a parameter that defines the PPID …
INT 0x2D Anti-Debugging
When the instruction INT2D
is executed, the exception EXCEPTION_BREAKPOINT
is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while INT2D
is executed.
Access Token Manipulation: Token Impersonation/Theft Defense Evasion [Mitre]
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to …
Access Token Manipulation: Create Process with Token Defense Evasion [Mitre]
Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.
Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access …
Access Token Manipulation: Make and Impersonate Token Defense Evasion [Mitre]
Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary …
Domain Policy Modification: Group Policy Modification Defense Evasion [Mitre]
Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies. …
Domain Policy Modification: Domain Trust Modification Defense Evasion [Mitre]
Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied …
Hide Artifacts: Hidden Files and Directories Defense Evasion [Mitre]
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users …