Search For Content
Search Result
133 item(s) found so far for this keyword.
XBEL Recently Opened Files Check
The recently-used.xbel XML file documents recent files on a Linux system that were accessed by applications. By parsing the file & checking how many files were recently accessed, we can determine whether or not a system is likely a sandbox or virtual machine. If a system has a low amount of files being accessed, it's likely a sandbox/VM.
Process Camouflage, Masquerading
Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as svchost.exe, and placing it in a legitimate folder.
Masquerading can occur when the name or location of an executable, …
Read moreEntry Point Modification
The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.
Read moreProcess Doppelgänging
This technique leverages the Transactional NTFS functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform …
Hiding Mechanisms
Malware often uses various techniques to hide its presence on a system and avoid detection. One common method is to modify or create entries in the system registry, which is a database of configuration settings for the operating system and installed applications. By modifying these settings, malware can hide itself from security software or other programs that might detect its …
Read moreMalvertising
Malvertising is a type of cyber attack that involves using online advertising as a means to spread malware. This is attractive to attackers because it allows them to easily reach a large number of users without having to directly compromise the websites hosting the ads. The ads themselves can be inserted into reputable and high-profile websites, which can help attackers …
Read moreChecking Malware Name
Malware can use various techniques to evade detection by security analysts and researchers. One such technique is to check the name of the malware sample before fully executing on the infected machine. If the sample has been renamed to a blacklisted name, such as "malware.exe" or "sample.exe", or even with the file hash, the malware can detect this and change …
Read moreIndicator Removal: Timestomp
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Timestomping is a technique used by adversaries to modify the timestamps of a file, such as the modify, access, create, and change times. This technique is often used to hide the fact that a file has been modified or created by the adversary, making it more difficult for forensic investigators or file analysis tools to detect the changes.
By …
Read moreHijack Execution Flow: DLL Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
There are many ways an …
Read moreDirect Volume Access
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools.
Utilities, …
Read more