Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
261 item(s) found so far for this keyword.
Valid Accounts: Local Accounts Defense Evasion [Mitre]
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials …
Virtualization/Sandbox Evasion: System Checks Defense Evasion [Mitre]
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …
Virtualization/Sandbox Evasion: User Activity Based Checks Defense Evasion [Mitre]
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core …
Virtualization/Sandbox Evasion: Time Based Evasion Defense Evasion [Mitre]
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
…AppInit DLL Injection Process Manipulating Defense Evasion [Mitre]
Any Dynamic Link Libraries (DLL) that are specified within the AppInit_DLLs registry key values are loaded by user32.dll into any process that utilizes user32.dll. So by modifying the AppInit_DLLs registry key value and pointing it to a malicious DLL, an attacker can force the system to load their DLL into every process that utilizes user32.dll and force it to execute …
IPV4/IPV6 Obfuscation Data Obfuscation
The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the RtlIpv4StringToAddressA function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode. Additionally, IPfuscation variants were spotted using IPv6 instead of IPv4 addresses, UUIDs, …
Replication Through Removable Media Defense Evasion [Mitre] Others
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.
Event Triggered Execution: Linux Inotify Process Manipulating
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.
Default Windows Wallpaper Check Sandbox Evasion
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. In this particular case, the malware checks to see if the wallpaper set on the machine is the default Windows …
XBEL Recently Opened Files Check Sandbox Evasion
The recently-used.xbel XML file documents recent files on a Linux system that were accessed by applications. By parsing the file & checking how many files were recently accessed, we can determine whether or not a system is likely a sandbox or virtual machine. If a system has a low amount of files being accessed, it's likely a sandbox/VM.