Search For Content
Search Result
167 item(s) found so far for this keyword.
System Binary Proxy Execution: Compiled HTML File
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser …
Read moreSystem Binary Proxy Execution: CMSTP
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. …
Read moreSystem Binary Proxy Execution: Mshta
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same …
Read moreSystem Binary Proxy Execution: Regsvcs/Regasm
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft.
Both utilities may be used to bypass application control through use of attributes within the …
Read moreSystem Binary Proxy Execution: Verclsid
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file …
Read moreSystem Script Proxy Execution: PubPrn
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.
… Read moreCall to Interrupt Procedure
This anti-debugging technique involves using the INT n instruction to generate a call to the interrupt or exception handler specified with the destination operand.
To implement this technique, the int 0x03 instruction is executed, followed by a ret (0xCD03, 0xC3) nested in a __try, __except block. If a debugger is present, the except block will not be executed, …
AddVectoredExceptionHandler
The AddVectoredExceptionHandler technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler) to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP …
Unloading Module with FreeLibrary
Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.
To do this, the malware first uses the GetModuleHandleA function to retrieve a handle to the DLL, …
ScrubCrypt
ScrubCrypt is a malware obfuscation and encryption framework, derived from the earlier JLaive Batchfuscator crypter. It is designed to aid cybercriminals in evading detection and analysis by using a variety of techniques to conceal and protect the malicious software.
ScrubCrypt is advertised on cybercrime forums to employ encryption, code morphing, and (allegedly) polymorphism to create obfuscated malware payloads that …
Read more