Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
249 item(s) found so far for this keyword.
Valid Accounts: Default Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the …
Valid Accounts: Domain Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Adversaries may compromise …
Valid Accounts: Local Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through …
Virtualization/Sandbox Evasion: System Checks Defense Evasion [Mitre]
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …
Virtualization/Sandbox Evasion: User Activity Based Checks Defense Evasion [Mitre]
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core …
Virtualization/Sandbox Evasion: Time Based Evasion Defense Evasion [Mitre]
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. …
AppInit DLL Injection Process Manipulating Defense Evasion [Mitre]
Any Dynamic Link Libraries (DLL) that are specified within the AppInit_DLLs
registry key values are loaded by user32.dll into any process that utilizes user32.dll. So by modifying the AppInit_DLLs
registry key value and pointing it to a malicious DLL, an attacker can force the system to load their DLL into every process that utilizes user32.dll and force it to execute …
IPV4/IPV6 Obfuscation Data Obfuscation
The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the RtlIpv4StringToAddressA
function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode. Additionally, IPfuscation variants were spotted using IPv6 instead of IPv4 addresses, UUIDs, …
Replication Through Removable Media Defense Evasion [Mitre] Others
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.