Unprotect Navbar Version Logo
  • Home
  • Techniques
  • Scan
  • Resources
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • Avatar Login

Search For Content

Clear

Search Result

186 item(s) found so far for this keyword.

Indicator Removal: Timestomp
Anti-Forensic icon
Anti-Forensic
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Timestomping is a technique used by adversaries to modify the timestamps of a file, such as the modify, access, create, and change times. This technique is often used to hide the fact that a file has been modified or created by the adversary, making it more difficult for forensic investigators or file analysis tools to detect the changes.

By …

Read more

Access Token Manipulation: Parent PID Spoofing
Process Manipulating icon
Process Manipulating
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.

One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the …

Read more

Anti-UPX Unpacking
Others icon
Others

Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header …

Read more

Misusing Structured Exception Handlers
Anti-Disassembly icon
Anti-Disassembly

Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done …

Read more

INT 0x2D
Anti-Debugging icon
Anti-Debugging

When the instruction INT2D is executed, the exception EXCEPTION_BREAKPOINT is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while INT2D is executed.

Read more

Hijack Execution Flow: DLL Search Order Hijacking
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an …

Read more

Access Token Manipulation: Token Impersonation/Theft
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to …

Read more

Access Token Manipulation: Create Process with Token
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.

Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or …

Read more

Access Token Manipulation: Make and Impersonate Token
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary …

Read more

Domain Policy Modification: Group Policy Modification
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies.

… Read more
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19

The #UnprotectProject is brought to you by 🇫🇷 fr0gger_ and 🇫🇷 DarkCoderSc

Terms And Conditions | GDPR

Contribute Now