Search For Content
Search Result
261 item(s) found so far for this keyword.
PowerShell Special Characters Obfuscation
PowerShell scripts can be obfuscated using methods that encode commands exclusively with special characters. This technique aims to complicate analysis and potentially evade detection mechanisms.
Attackers frequently employ these tactics to hide the true functionalities of the script, making the analysis more challenging.
Read moreBuildCommDCBAndTimeoutA
This technique uses a BuildCommDCBAndTimeoutsA API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.
Runtime Function Decryption
This technique is used to store the function body in an encrypted form. They will only be decrypted just before the execution of that code and will be re-encrypted after the code has been executed.
This technique is used by SmokeLoader to evade anti-virus and EDRs, since the function body is in encrypted form except at the time of …
Read moreVboxEnumShares
This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...) approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum and WNetEnumResource functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or …
WinDefAVEmu_goatfiles
Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator.
Read moreAl-Khaser_WriteWatch
Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes.
Read moreVBA Purging
VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with …
Read moreExfiltration via SMTP
Exfiltration via SMTP is a technique where attackers leverage the Simple Mail Transfer Protocol (SMTP) to exfiltrate data. This method involves sending stolen data, such as sensitive files or system information, via email to an attacker-controlled email account. By using email traffic, attackers can often bypass traditional network monitoring solutions since SMTP traffic is usually deemed legitimate.
To execute …
Read morekernel flag inspection via sysctl
The sysctl anti-debugging technique can be abused by malware to detect and evade debugging tools on macOS or BSD-like systems. By querying the kernel for process information, malware checks flags (e.g., 0x800) to see if a debugger is attached. If detected, the malware can terminate, alter behavior, or enter a dormant state to avoid analysis.
This technique blends …
Read moreXProtect Encryption Abuse
Malware can abuse Apple's macOS XProtect string encryption algorithm to hide critical strings, including commands, browser paths, extension IDs, cryptocurrency wallet locations, and command-and-control (C2) details.
This technique leverages the same XOR-based encryption logic implemented in macOS’s XProtect antivirus engine, this encryption is used for “encrypted YARA rules stored within the XProtect Remediator binaries”.
The encryption process involves …
Read more