Search For Content
Search Result
133 item(s) found so far for this keyword.
Exfiltration via SMTP
Exfiltration via SMTP is a technique where attackers leverage the Simple Mail Transfer Protocol (SMTP) to exfiltrate data. This method involves sending stolen data, such as sensitive files or system information, via email to an attacker-controlled email account. By using email traffic, attackers can often bypass traditional network monitoring solutions since SMTP traffic is usually deemed legitimate.
To execute …
Read moreXProtect Encryption Abuse
Malware can abuse Apple's macOS XProtect string encryption algorithm to hide critical strings, including commands, browser paths, extension IDs, cryptocurrency wallet locations, and command-and-control (C2) details.
This technique leverages the same XOR-based encryption logic implemented in macOS’s XProtect antivirus engine, this encryption is used for “encrypted YARA rules stored within the XProtect Remediator binaries”.
The encryption process involves …
Read moreClearing Kernel Message
The dmesg -C command clears the kernel message buffer, which stores diagnostic messages generated by the kernel. These messages include logs about hardware interactions, system events, kernel module loads, and errors such as segmentation faults. The attacker can run this command to make sure that no trace of kernel-related activity, including any anomalies caused by exploitation, remains in the message …
Manipulating Debug Logs
Using the sed -i command, specific entries in debug logs, such as errors (segfault, SystemError) or trace information (e.g., filenames like main.cc), are surgically removed. This allows attackers to target only incriminating evidence without erasing the entire log file. The process preserves the structure and authenticity of the log while removing key evidence of exploitation or system errors.
…
Read moreDeleting Troubleshoot Information and Core Dumps
Commands like rm -rf /data/var/statedumps/* and rm -rf /data/var/cores/* delete state dumps and core dumps, which are generated when processes crash. These files contain memory snapshots, stack traces, and runtime states of processes at the time of failure. They are often used to debug and understand the causes of crashes or application malfunctions.
Attackers use this technique to eliminate …
Read moreRemoving Commands from SELinux Audit Logs
SELinux audit logs record all executed commands and policy enforcement actions, including commands like /bin/web, setenforce, mount, and /bin/rm. Using sed -i, attackers delete specific entries from these logs that could reveal the commands they executed. This manipulation ensures that traces of their activity, such as disabling security policies or deleting evidence, are erased from …
WMI Event Subscriptions
Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real …
Read moreIndirect Memory Writing
In local memory movement scenarios, for example, when a loader places a payload into memory for execution, antimalware can detect malicious activity at the moment the payload bytes are written into the newly allocated executable memory region. Attackers may try to evade such detection by avoiding direct writes to new memory region and instead relying on other, legitimate Windows APIs …
Read moreBad String Format
Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.
For example, the malware may use a string with multiple %s inputs, which …
Read moreIndicator Removal: Clear Windows Event Logs
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.
Event logs can provide valuable information about the actions …
Read more