Search For Content
Search Result
22 item(s) found so far for this keyword.
Indicator Removal: Clear Command History
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Windows hosts, PowerShell has two different command history providers: the built-in history …
Read moreIndicator Removal: Clear Mailbox Data
Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate email mailbox data to …
Read moreClearing Kernel Message
The dmesg -C command clears the kernel message buffer, which stores diagnostic messages generated by the kernel. These messages include logs about hardware interactions, system events, kernel module loads, and errors such as segmentation faults. The attacker can run this command to make sure that no trace of kernel-related activity, including any anomalies caused by exploitation, remains in the message …
Deleting Troubleshoot Information and Core Dumps
Commands like rm -rf /data/var/statedumps/* and rm -rf /data/var/cores/* delete state dumps and core dumps, which are generated when processes crash. These files contain memory snapshots, stack traces, and runtime states of processes at the time of failure. They are often used to debug and understand the causes of crashes or application malfunctions.
Attackers use this technique to eliminate …
Read moreVPCEXT
The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.
Read moreChecking Recent Office Files
Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.
Read moreEntry Point Modification
The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.
Read moreNTFS Files Attributes
Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes and Data known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even …
Read moreVolume Shadow Copy Service (VSC,VSS) Deletion
Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.
On the other hand, deleting by using vssadmin and WMIC is on a file system level, the …
Read moreAnti-UPX Unpacking
Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header …
Read more