HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 351,
"next": "https://unprotect.it/api/techniques/?format=api&page=4",
"previous": "https://unprotect.it/api/techniques/?format=api&page=2",
"results": [
{
"id": 269,
"key": "indicator-removal-clear-command-history",
"unprotect_id": "T1070.003",
"name": "Indicator Removal: Clear Command History",
"description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\r\n\r\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\r\n\r\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.\r\n\r\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.",
"resources": "https://attack.mitre.org/techniques/T1070/003/",
"creation_date": "2023-02-07T00:42:27.729000Z",
"tags": "Defense Evasion,\r\nclear CLI history,\r\nPSReadLine,\r\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt,\r\nClear-History,\r\nConsoleHost_history.txt,\r\nAPT41,\r\nlog file deletion,",
"modification_date": "2023-10-04T10:42:29.451000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 268,
"key": "impair-defenses-downgrade-attack",
"unprotect_id": "T1562.010",
"name": "Impair Defenses: Downgrade Attack",
"description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.\r\n\r\nAdversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.",
"resources": "https://attack.mitre.org/techniques/T1562/010/",
"creation_date": "2023-02-07T00:35:20.611000Z",
"tags": "Defense Evasion,\r\ndowngrading Windows,\r\nScript Block Logging (SBL),\r\nremoving features,\r\nexecute malicious scripts,\r\nAdversary-in-the-Middle.",
"modification_date": "2023-10-04T10:44:10.420000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 267,
"key": "impair-defenses-safe-mode-boot",
"unprotect_id": "T1562.009",
"name": "Impair Defenses: Safe Mode Boot",
"description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.\r\n\r\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.\r\n\r\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.",
"resources": "https://attack.mitre.org/techniques/T1562/009/",
"creation_date": "2023-02-07T00:32:08.111000Z",
"tags": "Defense Evasion,\r\ndisable endpoint defenses,\r\nWindows safe mode,\r\nBoot Configuration Data (BCD),\r\nregistry modification,\r\nmalicious Component Object Model (COM) objects,\r\nbypass EDR,\r\ndisable endpoint defences,",
"modification_date": "2023-10-04T10:42:27.206000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 266,
"key": "impair-defenses-indicator-blocking",
"unprotect_id": "T1562.006",
"name": "Impair Defenses: Indicator Blocking",
"description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.\r\n\r\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\r\n\r\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.",
"resources": "https://attack.mitre.org/techniques/T1562/006/",
"creation_date": "2023-02-07T00:28:37.250000Z",
"tags": "Defense Evasion,\r\ndisabling host-based sensors,\r\nevent telemetry tampering,\r\nEvent Tracing for Windows (ETW),\r\nbypass ETW,\r\nblocking reporting traffic,\r\nPowerShell Set-EtwTraceProvider,\r\nregistry tampering,\r\nbypassing SIEM alerts,",
"modification_date": "2023-10-04T10:44:07.778000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 265,
"key": "impair-defenses-disable-or-modify-system-firewall",
"unprotect_id": "T1562.004",
"name": "Impair Defenses: Disable or Modify System Firewall",
"description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\r\n\r\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
"resources": "https://attack.mitre.org/techniques/T1562/004/",
"creation_date": "2023-02-07T00:21:03.440000Z",
"tags": "Defense Evasion,\r\nbypass firewall, \r\ndisable firewall,\r\nmodify firewall rules,\r\nAPT29,\r\nAPT38,\r\nenable adversary C2 communications,\r\nlateral movement, \r\ndata exfiltration,",
"modification_date": "2023-10-04T10:44:05.085000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 264,
"key": "impair-defenses-impair-command-history-logging",
"unprotect_id": "T1562.003",
"name": "Impair Defenses: Impair Command History Logging",
"description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\r\n\r\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.\r\n\r\nAdversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).",
"resources": "https://attack.mitre.org/techniques/T1562/003/",
"creation_date": "2023-02-07T00:17:23.193000Z",
"tags": "Defense Evasion,\r\nPSReadLine,\r\nConsoleHost_history.txt,\r\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\,\r\nSet-PSReadLineOption -HistorySavePath {File Path},\r\nSet-PSReadlineOption -HistorySaveStyle SaveNothing,\r\nNetwork Device CLI,\r\nAPT38,\r\ndisable logging,\r\ndisable historical command logging,",
"modification_date": "2023-10-04T10:44:11.334000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 263,
"key": "impair-defenses-disable-windows-event-logging",
"unprotect_id": "T1562.002",
"name": "Impair Defenses: Disable Windows Event Logging",
"description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections.\r\n\r\nThe EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings. auditpol.exe may also be used to set audit policies.\r\n\r\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog. Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:\"Account Logon\" /success:disable /failure:disable turns off auditing for the Account Logon category. To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.",
"resources": "https://attack.mitre.org/techniques/T1562/002/",
"creation_date": "2023-02-07T00:12:57.052000Z",
"tags": "Defense Evasion,\r\nevent disabling,\r\nEventLog service,\r\nLocal Security Policy (secpol.msc),\r\nauditpol.exe,\r\n/success parameters,\r\n/failure parameters,\r\nStop-Service -Name EventLog,\r\nauditpol /clear /y,\r\nauditpol /remove /allusers,\r\nSecurity Settings\\Local Policies\\Audit Policy,\r\nSecurity Settings\\Advanced Audit Policy Configuration,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:11.085000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 262,
"key": "impair-defenses-disable-or-modify-tools",
"unprotect_id": "T1562.001",
"name": "Impair Defenses: Disable or Modify Tools",
"description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.\r\n\r\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.\r\n\r\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools. For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.\r\n\r\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.",
"resources": "https://attack.mitre.org/techniques/T1562/001/",
"creation_date": "2023-02-07T00:02:20.725000Z",
"tags": "Defense Evasion,\r\nbypass event aggregation,\r\nbypass analysis mechanisms,\r\nbypass security tools,\r\nbypass anti-tampering,\r\ndisable updates,\r\nAPT29,\r\nartifact tampering,\r\nGMER,\r\ndriver exploitation,",
"modification_date": "2023-10-04T10:44:59.222000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 261,
"key": "exploitation-for-defense-evasion",
"unprotect_id": "T1211",
"name": "Exploitation for Defense Evasion",
"description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\r\n\r\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.",
"resources": "https://attack.mitre.org/techniques/T1211/",
"creation_date": "2023-01-31T04:53:59.414000Z",
"tags": "Defense Evasion,\r\nbypass security features,\r\nSecurity Software Discovery,\r\nAPT28,\r\nvulnerability exploitation",
"modification_date": "2023-10-04T10:42:38.649000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 260,
"key": "direct-volume-access",
"unprotect_id": "T1006",
"name": "Direct Volume Access",
"description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. \r\n\r\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell.",
"resources": "https://attack.mitre.org/techniques/T1006/",
"creation_date": "2023-01-31T04:51:45.101000Z",
"tags": "Defense Evasion,\r\nbypass file action control,\r\nbypass file system monitoring,\r\ndirect access to logical volumes,\r\nNinjaCopy,",
"modification_date": "2023-10-04T10:42:07.369000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 259,
"key": "deobfuscatedecode-files-or-information",
"unprotect_id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\r\n\r\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. \r\n\r\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.",
"resources": "https://attack.mitre.org/techniques/T1140/",
"creation_date": "2023-01-31T04:49:40.484000Z",
"tags": "Defense Evasion,\r\ncertutil,\r\nWindows copy /b command,\r\nAPT19,\r\nAPT28,\r\nAPT29,\r\nAPT39,\r\ndecryption,",
"modification_date": "2023-10-04T10:44:06.332000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 258,
"key": "debugger-evasion",
"unprotect_id": "T1622",
"name": "Debugger Evasion",
"description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.\r\n\r\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\r\n\r\nSpecific checks will vary based on the target and/or adversary, but may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \"swallow\" or handle the potential error).\r\n\r\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().",
"resources": "https://attack.mitre.org/techniques/T1622/",
"creation_date": "2023-01-31T04:46:31.665000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\ncheck for debugged environment,\r\nIsDebuggerPresent(),\r\nNtQueryInformationProcess(),\r\nBeingDebugged flag,\r\nProcess Environment Block (PEB),\r\nOutputDebugStringW(),\r\ndebugging prevention,",
"modification_date": "2023-10-04T10:44:14.923000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 257,
"key": "bits-jobs",
"unprotect_id": "T1197",
"name": "BITS Jobs",
"description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\r\n\r\nThe interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.\r\n\r\nAdversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).\r\n\r\nBITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.",
"resources": "https://attack.mitre.org/techniques/T1197/",
"creation_date": "2023-01-31T04:43:48.619000Z",
"tags": "Defense Evasion, \r\nPersistence,\r\nWindows Background Intelligent Transfer Service (BITS),\r\nBITSAdmin tool,\r\nComponent Object Model (COM),\r\nexecute mailicious code,\r\nperform background tasks,\r\njob creation,\r\nExfiltration Over Alternative Protocol,\r\nAPT39,\r\nAPT41,\r\npayload download,\r\nIndicator Removal,",
"modification_date": "2023-10-04T10:44:11.847000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 256,
"key": "hijack-execution-flow-kernelcallbacktable",
"unprotect_id": "T1574.013",
"name": "Hijack Execution Flow: KernelCallbackTable",
"description": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.\r\n\r\nAn adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.\r\n\r\nA pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() Native API function). Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.\r\n\r\nThe tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload. Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1574/013/",
"creation_date": "2023-01-31T04:40:08.137000Z",
"tags": "Persistence, \r\nPrivilege Escalation,\r\nDefense Evasion,\r\nduplicate KernelCallbackTable,\r\nProcess Environment Block (PEB),\r\nuser32.dll,\r\nReflective Code Loading,\r\nProcess Injection,\r\nhijack execution flow,\r\nhijack process control flow,\r\nmemory tampering,\r\nmalicious memory address,\r\nWindows message,",
"modification_date": "2023-10-04T10:44:58.916000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 255,
"key": "hijack-execution-flow-cor_profiler",
"unprotect_id": "T1574.012",
"name": "Hijack Execution Flow: COR_PROFILER",
"description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\r\n\r\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.\r\n\r\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and Impair Defenses provided by .NET processes.",
"resources": "https://attack.mitre.org/techniques/T1574/012/",
"creation_date": "2023-01-31T04:36:31.132000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\n.NET CLR,\r\nCommon Language Runtime (CLR),\r\nComponent Object Model (COM),\r\nCOR_PROFILER_PATH,\r\nCOR_PROFILER,\r\nBypass User Account Control,\r\nImpair Defenses,\r\nmalicious DLL,\r\nsystem environment variables,\r\n.NET Framework 4,",
"modification_date": "2023-10-04T10:44:10.824000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 254,
"key": "hijack-execution-flow-services-registry-permissions-weakness",
"unprotect_id": "T1574.011",
"name": "Hijack Execution Flow: Services Registry Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. \r\n\r\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\r\n\r\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.\r\n\r\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.[5] If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.\r\n\r\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities. Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.",
"resources": "https://attack.mitre.org/techniques/T1574/011/",
"creation_date": "2023-01-31T04:33:41.271000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nregistry key manipulation,\r\nservice hijack,\r\nFailureCommand,\r\nPerformance key,\r\nCreate Subkey permission,\r\nParameters key,\r\nmalicious DLL,\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll,",
"modification_date": "2023-10-04T10:43:59.801000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 253,
"key": "hijack-execution-flow-services-file-permissions-weakness",
"unprotect_id": "T1574.010",
"name": "Hijack Execution Flow: Services File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\r\n\r\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"resources": "https://attack.mitre.org/techniques/T1574/010/",
"creation_date": "2023-01-31T04:30:16.669000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nWindows services,\r\nbinary permissions,\r\nservice hijack,\r\nbinary hijack,",
"modification_date": "2023-10-04T10:44:10.124000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 252,
"key": "hijack-execution-flow-path-interception-by-unquoted-path",
"unprotect_id": "T1574.009",
"name": "Hijack Execution Flow: Path Interception by Unquoted Path",
"description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\r\n\r\nService paths and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program.\r\n\r\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
"resources": "https://attack.mitre.org/techniques/T1574/009/",
"creation_date": "2023-01-31T02:32:19.133000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nprivilege escalation,\r\nunquoted path,\r\npath interception,\r\nhigher level directory,",
"modification_date": "2023-10-04T10:44:09.862000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 251,
"key": "hijack-execution-flow-path-interception-by-search-order-hijacking",
"unprotect_id": "T1574.008",
"name": "Hijack Execution Flow: Path Interception by Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\r\n\r\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL Search Order Hijacking, the search order differs depending on the method that is used to execute the program. However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\r\n\r\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. \r\n\r\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.",
"resources": "https://attack.mitre.org/techniques/T1574/008/",
"creation_date": "2023-01-31T02:26:31.828000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nsearch order hijacking,\r\npath interception,\r\nhijacking DLL loads,\r\nPATHEXT,",
"modification_date": "2023-10-04T10:43:56.166000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 250,
"key": "hijack-execution-flow-path-interception-by-path-environment-variable",
"unprotect_id": "T1574.007",
"name": "Hijack Execution Flow: Path Interception by PATH Environment Variable",
"description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\r\n\r\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\r\n\r\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
"resources": "https://attack.mitre.org/techniques/T1574/007/",
"creation_date": "2023-01-31T02:24:05.669000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nPATH environment variable,\r\npath interception,\r\nexecute malicious payloads,\r\n %SystemRoot%\\system32,",
"modification_date": "2023-10-04T10:44:09.595000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 249,
"key": "hijack-execution-flow-executable-installer-file-permissions-weakness",
"unprotect_id": "T1574.005",
"name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\r\n\r\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking.\r\n\r\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"resources": "https://attack.mitre.org/techniques/T1574/005/",
"creation_date": "2023-01-31T02:20:35.493000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nDLL Search Order Hijacking,\r\nwrite access,\r\nmalicious binaries,\r\nbinary hijack,\r\nprivilege escalation,\r\nBypass User Account Control,\r\n%TEMP%,",
"modification_date": "2023-10-04T10:44:09.321000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 248,
"key": "hijack-execution-flow-dll-side-loading",
"unprotect_id": "T1574.002",
"name": "Hijack Execution Flow: DLL Side-Loading",
"description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\r\n\r\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.",
"resources": "https://attack.mitre.org/techniques/T1574/002/",
"creation_date": "2023-01-31T02:14:22.259000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nDLL search order,\r\nAPT19,\r\nAPT3,\r\nAPT32,\r\nAPT41,\r\nsigned executables,\r\nmimic legitimate DLL,\r\nencrypted payload,\r\npacked payload,\r\nobfuscated payload,",
"modification_date": "2023-10-04T10:44:09.025000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 247,
"key": "hide-artifacts-process-argument-spoofing",
"unprotect_id": "T1564.010",
"name": "Hide Artifacts: Process Argument Spoofing",
"description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.\r\n\r\nAdversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.\r\n\r\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.\r\n\r\nThis behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.",
"resources": "https://attack.mitre.org/techniques/T1564/010/",
"creation_date": "2023-01-31T02:10:02.144000Z",
"tags": "Defense Evasion,\r\nprocess environment block (PEB),\r\nProcess Hollowing,\r\nWriteProcessMemory(),\r\nParent PID Spoofing,\r\nmalicious cmd arguments,",
"modification_date": "2023-10-04T10:44:08.779000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 246,
"key": "hide-artifacts-email-hiding-rules",
"unprotect_id": "T1564.008",
"name": "Hide Artifacts: Email Hiding Rules",
"description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.\r\n\r\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.\r\n\r\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines.",
"resources": "https://attack.mitre.org/techniques/T1564/008/",
"creation_date": "2023-01-31T02:06:43.058000Z",
"tags": "Defense Evasion\r\nNew-InboxRule,\r\nSet-InboxRule,\r\nmailbox rules,\r\nmailbox folders,\r\ninbound emails,\r\nphishing,",
"modification_date": "2023-10-04T10:44:50.279000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 245,
"key": "hide-artifacts-vba-stomping",
"unprotect_id": "T1564.007",
"name": "Hide Artifacts: VBA Stomping",
"description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.\r\n\r\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.\r\n\r\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.",
"resources": "https://attack.mitre.org/techniques/T1564/007/",
"creation_date": "2023-01-31T02:03:17.102000Z",
"tags": "Defense Evasion,\r\nPerformanceCache,\r\n_VBA_PROJECT,\r\nMicrosoft Office,\r\nVisual Basic for Applications (VBA),\r\np-code,\r\nproject stream,\r\nmalicious code,",
"modification_date": "2023-10-04T10:44:36.443000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 244,
"key": "hide-artifacts-run-virtual-instance",
"unprotect_id": "T1564.006",
"name": "Hide Artifacts: Run Virtual Instance",
"description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.\r\n\r\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.",
"resources": "https://attack.mitre.org/techniques/T1564/006/",
"creation_date": "2023-01-31T02:00:27.059000Z",
"tags": "Defense Evasion,\r\nvirtualization,\r\nVirtualBox,\r\nVMWare,\r\nHyperV,\r\ncompromise host,",
"modification_date": "2023-10-04T10:42:09.202000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 243,
"key": "hide-artifacts-hidden-file-system",
"unprotect_id": "T1564.005",
"name": "Hide Artifacts: Hidden File System",
"description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.\r\n\r\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions. Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system. Adversaries may also fragment files across the existing file system structure in non-standard ways.",
"resources": "https://attack.mitre.org/techniques/T1564/005/",
"creation_date": "2023-01-31T01:55:59.336000Z",
"tags": "Defense Evasion,\r\nFAT, \r\nNTFS, \r\next4, \r\nAPFS,\r\nVolume Boot Record (VBR),\r\nMaster File Table (MFT),\r\nvirtual file systems,\r\nportable partition image,\r\nreserved disk space,\r\nfile fragmentation,",
"modification_date": "2023-10-04T10:44:08.518000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 242,
"key": "hide-artifacts-ntfs-file-attributes",
"unprotect_id": "T1564.004",
"name": "Hide Artifacts: NTFS File Attributes",
"description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). \r\n\r\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.",
"resources": "https://attack.mitre.org/techniques/T1564/004/",
"creation_date": "2023-01-31T01:52:26.125000Z",
"tags": "Defense Evasion,\r\nNew Technology File System (NTFS),\r\nMaster File Table (MFT),\r\nExtended Attributes (EA),\r\nAlternate Data Streams (ADSs),\r\nattribute metadata,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:05.485000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 241,
"key": "hide-artifacts-hidden-window",
"unprotect_id": "T1564.003",
"name": "Hide Artifacts: Hidden Window",
"description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.\r\n\r\nOn Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. \r\n\r\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.",
"resources": "https://attack.mitre.org/techniques/T1564/003/",
"creation_date": "2023-01-31T01:47:46.570000Z",
"tags": "Defense Evasion,\r\n-WindowStyle Hidden,\r\nsupress windows,\r\nAPT19,\r\nAPT28,\r\nAPT3,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:57.218000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 240,
"key": "hide-artifacts-hidden-users",
"unprotect_id": "T1564.002",
"name": "Hide Artifacts: Hidden Users",
"description": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.\r\n\r\nAdversaries may hide user accounts in Windows. Adversaries can set the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.",
"resources": "https://attack.mitre.org/techniques/T1564/002/",
"creation_date": "2023-01-31T01:41:37.835000Z",
"tags": "Defense Evasion,\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\r\nDragonfly,\r\nsupress users from login screen,",
"modification_date": "2023-10-04T10:43:35.458000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 239,
"key": "hide-artifacts-hidden-files-and-directories",
"unprotect_id": "T1564.001",
"name": "Hide Artifacts: Hidden Files and Directories",
"description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows).\r\n\r\nUsers can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\r\n\r\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
"resources": "https://attack.mitre.org/techniques/T1564/001/",
"creation_date": "2023-01-31T01:37:25.064000Z",
"tags": "Defense Evasion,\r\nhidden files,\r\nhidden folders,\r\nattrib.exe,\r\n.ssh,\r\nAPT28,\r\nAPT32,",
"modification_date": "2023-10-04T10:44:08.273000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 238,
"key": "windows-file-and-directory-permissions-modification",
"unprotect_id": "T1222.001",
"name": "Windows File and Directory Permissions Modification",
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\r\n\r\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs). Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.\r\n\r\nAdversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.",
"resources": "https://attack.mitre.org/techniques/T1222/001/",
"creation_date": "2023-01-31T01:31:58.384000Z",
"tags": "Defense Evasion,\r\nPersistence,\r\nevade access control lists (ACLs),\r\nicacls, \r\ncacls, \r\ntakeown, \r\nattrib,\r\nHijack Execution Flow,\r\nDiscretionary Access Control Lists (DACLs),\r\nAccessibility Features, \r\nBoot Initialization Scripts,\r\nLogon Initialization Scripts,",
"modification_date": "2023-10-04T10:44:29.110000Z",
"category": [
10
],
"rules": [],
"attachments": [
"b913237e-4937-4062-9187-b752a00d818c"
],
"featured_api": [],
"contributors": []
},
{
"id": 237,
"key": "domain-member",
"unprotect_id": "U1341",
"name": "Domain Member",
"description": "This technique determines if a host is a member of an Active Directory Domain without API calls. It helps prevent malicious payload execution in enterprise sandboxes that are not members of an Active Directory domain. The validation is done by checking the \"LoggonServer\" and \"ComputerName\" environment variables. If the host is logged into a domain controller, the \"LoggonServer\" value will contain the name of the logged-in server, otherwise both variables contain the same hostname. This information is stored in the process memory, allowing for undetectable domain membership validation without API calls.",
"resources": "",
"creation_date": "2023-01-30T00:03:56.393000Z",
"tags": "technique, Active Directory Domain, enterprise sandboxes, malicious payload, LoggonServer, ComputerName, domain controller, hostname, process memory, undetectable, API calls",
"modification_date": "2023-01-30T00:03:56.393000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 236,
"key": "cpu-counting",
"unprotect_id": "U1340,B0009.018",
"name": "CPU Counting",
"description": "In many sandboxes, due to virtualization constraints, the number of CPUs may be limited to one. However, in the real world, all x86 CPUs have been sold with multiple cores or at least hyperthreading for over a decade. \r\n\r\nAs a result, it is sometimes possible to detect virtualization or sandboxing by examining the number of CPUs on the system. This information can be obtained without making API calls, simply by checking the PEB, which holds this information. The presence of hyperthreading can also be detected by directly asking the CPU using the CPUID instruction.",
"resources": "",
"creation_date": "2023-01-29T23:58:47.355000Z",
"tags": "Sandbox, virtualization constraint, CPU count, workstations, servers, x86 CPU, multi-core, hyperthreading, virtualization detection, Windows API, WMI, registry, PEB, hyperthreading detection, CPUID instruction",
"modification_date": "2023-05-13T05:20:40.510000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 235,
"key": "return-address-spoofing",
"unprotect_id": "U0518",
"name": "Return Address Spoofing",
"description": "Return Address Spoofing is a technique used in x64 architecture to bypass the limitations of the x64 fastcall mechanism. The traditional method of spoofing return addresses in x86 (e.g. using a ret in a game module as a trampoline) is not feasible in x64 due to caller cleanup and red zone.\r\n\r\nTo overcome this, the code creates a temporary storage for the shellcode on the stack, where the address of a gadget and the called function are stored. An extra 8 bytes are reserved for the shellcode. The address of the storage is then passed to the shellcode, which reads the addresses, stores the original return address, the original content of the nonvolatile register (rbx), and the shellcode's return address.\r\n\r\nThe shellcode then jumps into the called function, which runs and returns to the gadget (jmp [rbx]). The remaining shellcode restores rbx, aligns the stack, and \"returns\" to the original return address using a jump instruction. This technique enables the shellcode to hide its presence from endpoint security software and memory scanners, while maintaining its malicious functionality.",
"resources": "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html",
"creation_date": "2023-01-29T23:50:58.846000Z",
"tags": "",
"modification_date": "2023-10-04T10:45:01.928000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 234,
"key": "avoiding-memory-scanners-yara-pe-sieve",
"unprotect_id": "U1009",
"name": "Avoiding Memory Scanners (Yara, Pe-sieve...)",
"description": "Avoiding Memory Scanners is a technique that enables malware creators to bypass the detection of endpoint security software and reverse engineers by using memory scanning to locate shellcode and malware in Windows memory. \r\n\r\nThe technique involves understanding how memory scanners work and implementing a stable evasion method for each of the memory scanning tools, such as PE-sieve, MalMemDetect, Moneta, Volatility malfind, and YARA. The goal of this technique is to hide the presence of malware from these tools and maintain its malicious functionality.",
"resources": "https://youtu.be/9z9PHSk2MsY\nhttps://github.com/kyleavery/AceLdr",
"creation_date": "2023-01-29T23:45:51.133000Z",
"tags": "YARA, PE-SIEVE, Monetta, Endpoint, Memory Scan",
"modification_date": "2023-10-04T10:43:03.446000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 233,
"key": "domain-policy-modification-domain-trust-modification",
"unprotect_id": "T1484.002",
"name": "Domain Policy Modification: Domain Trust Modification",
"description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\r\n\r\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.",
"resources": "https://attack.mitre.org/techniques/T1484/002/",
"creation_date": "2023-01-27T03:09:57.300000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nDomain trust details,\r\nadd fake certificate,\r\nSAML Tokens,\r\nfederated domain,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:07.474000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 232,
"key": "domain-policy-modification-group-policy-modification",
"unprotect_id": "T1484.001",
"name": "Domain Policy Modification: Group Policy Modification",
"description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.\r\n\r\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\r\n\r\nMalicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task/Job, Disable or Modify Tools, Ingress Tool Transfer, Create Account, Service Execution, and more. Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.\r\n\r\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task/Job by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.[3][4] In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.",
"resources": "https://attack.mitre.org/techniques/T1484/001/",
"creation_date": "2023-01-27T03:02:16.993000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nPersistence,\r\nGroup Policy Objects (GPOs),\r\nNew-GPOImmediateTask,\r\nScheduledTasks.xml,\r\nGptTmpl.inf,\r\nGPO modification privileges,\r\ndelegate GPO access control permissions,",
"modification_date": "2023-10-04T10:44:08.030000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 231,
"key": "access-token-manipulation-sid-history-injection",
"unprotect_id": "T1134.005",
"name": "Access Token Manipulation: SID-History Injection",
"description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\r\n\r\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.",
"resources": "https://attack.mitre.org/techniques/T1134/005/",
"creation_date": "2023-01-27T02:56:18.913000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nbypass access controls,\r\nWindows security identifier (SID)\r\nSID-History Active Directory,\r\nimpersonate users,\r\nlateral movement,\r\nMISC::AddSid, \r\nMimikatz,",
"modification_date": "2023-10-04T10:45:01.018000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 230,
"key": "access-token-manipulation-make-and-impersonate-token",
"unprotect_id": "T1134.003",
"name": "Access Token Manipulation: Make and Impersonate Token",
"description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.",
"resources": "https://attack.mitre.org/techniques/T1134/003/",
"creation_date": "2023-01-27T02:52:16.671000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nLogonUser,\r\nSetThreadToken,\r\nCobalt Strike,",
"modification_date": "2023-10-04T10:43:00.794000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 229,
"key": "access-token-manipulation-create-process-with-token",
"unprotect_id": "T1134.002",
"name": "Access Token Manipulation: Create Process with Token",
"description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.\r\n\r\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as Token Impersonation/Theft or Make and Impersonate Token).",
"resources": "https://attack.mitre.org/techniques/T1134/002/",
"creation_date": "2023-01-27T02:49:53.607000Z",
"tags": "Defense Evasion,\r\nPrivilege Escalation,\r\nCreateProcessWithTokenW,\r\nrunas,\r\nToken Impersonation,\r\nToken Theft,\r\nMake Token,\r\nImpersonate Token,",
"modification_date": "2023-10-04T10:44:05.237000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 228,
"key": "access-token-manipulation-token-impersonationtheft",
"unprotect_id": "T1134.001",
"name": "Access Token Manipulation: Token Impersonation/Theft",
"description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\r\n\r\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
"resources": "https://attack.mitre.org/techniques/T1134/001/",
"creation_date": "2023-01-27T02:44:10.190000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nToken impersonation, \r\nToken theft, \r\nDuplicateToken(Ex), \r\nImpersonateLoggedOnUser, \r\nSetThreadToken\r\nAPT28,",
"modification_date": "2023-10-04T10:44:04.019000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 226,
"key": "homograph-attack-punycode",
"unprotect_id": "U0909",
"name": "Homograph Attack (Punycode)",
"description": "A homograph attack is a type of phishing attack that uses homoglyphs (characters that look similar to other characters) to create domain names or URLs that appear to be legitimate, but are actually controlled by an attacker. Homograph attacks take advantage of the fact that many languages have characters that are visually similar to characters used in other languages.\r\n\r\nFor example, the letter \"a\" in the Latin alphabet and the character \"а\" in the Cyrillic alphabet are visually similar. An attacker can register a domain name using the Cyrillic \"а\" and create a website that looks like a legitimate website, but is actually controlled by the attacker.\r\n\r\nThe attack works by exploiting the way domain names are encoded in Punycode. Punycode is a way of representing Unicode characters with the limited character subset of ASCII used for Internet host names. This allows for domain names containing non-Latin characters, such as Chinese or Arabic, to be represented in an ASCII format that can be understood by systems that only support ASCII characters.\r\n\r\nThis means that an attacker can register a domain name that uses characters from different languages that look similar to characters from the Latin alphabet, like \"а\" instead of \"a\" and create a website that looks almost identical to a legitimate website.\r\n\r\nThese attacks are very similar to typosquatting. Browser vendors have implemented features to help protect users from homograph attacks by displaying the Punycode version of domain names containing non-Latin characters.",
"resources": "https://en.wikipedia.org/wiki/IDN_homograph_attack\nhttps://en.wikipedia.org/wiki/Punycode\nhttps://blog.securitybreak.io/fifty-shades-of-malware-strings-d33b0c7bee99",
"creation_date": "2023-01-16T00:36:02.612000Z",
"tags": "Homograph attack, phishing attack, homoglyphs, domain names, URLs, legitimate, attacker, encoding, Punycode, Unicode characters, ASCII, Internet host names, non-Latin characters, Latin alphabet, Cyrillic alphabet, typosquatting,",
"modification_date": "2023-10-04T10:44:03.843000Z",
"category": [
9
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 225,
"key": "domain-fronting",
"unprotect_id": "U0908, T1090.004",
"name": "Domain Fronting",
"description": "Domain fronting is a technique used to hide the true destination of internet traffic. It may be used to hide the real destination of an offensive payload or is could be used to bypass censorship or any form of network restriction. The technique may be used through CDN infrastructure or on any infrastructure that perform separation between SSL and http backend.\r\n\r\nIt involves SSL/TLS connection since it abuse of the destination requested in the SNI (Server Name Indication) field at SSL level at \"Front\" and the real hosname requested by the HOST header at the HTTP level. In clear you declare one destination at SSL level and another one at HTTP level. From an defender point on view you see only the SSL destination in the firewall logs and not the real final destination.\r\n\r\nAdditionally, some other headers may be used to facilitate domain fronting like \"X-Forwarded-Host\" and \"X-Originating-URL\". But these headers may vary depending on the implementation.\r\n\r\nSuch techniques were exploited by groups like APT29. Hovewer, some cloud providers like AWS, Google Cloud, and Cloudflare among others, have started to detect and block domain fronting attempts. Since then a new technics named domain hiding as been discovered. This is a complementary technique that as been presented by Erik Hunstad at defcon 2020. This techniques use the ESNI header in the TLS3.1 version.",
"resources": "https://en.wikipedia.org/wiki/Domain_fronting\nhttps://attack.mitre.org/techniques/T1090/004/",
"creation_date": "2023-01-15T07:04:21.021000Z",
"tags": "Domain fronting,\r\nbypass censorship,\r\nnetwork restriction,\r\nSSL/TLS connection,\r\nSNI (Server Name Indication) field,\r\nX-Forwarded-Host,\r\nX-Originating-URL,\r\nAPT29,\r\nTLS3.1 version,",
"modification_date": "2023-10-04T10:45:00.870000Z",
"category": [
9,
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 224,
"key": "milfuscator",
"unprotect_id": "U1429",
"name": "Milfuscator",
"description": "Milfuscator is a tool used to obfuscate the code in a Portable Executable (PE) file by modifying and expanding the existing code in the \".text\" section, without creating any new sections. It does this using the Zydis and AsmJit libraries, and is based on the concept of code mutation from a P2C project for the game Counter-Strike: Global Offensive. The tool is an open-source project.",
"resources": "https://github.com/nelfo/Milfuscator",
"creation_date": "2022-12-24T04:07:22.663000Z",
"tags": "Zydis,\r\nAsmJit,\r\nCode mutation,\r\nObfuscation,\r\nPacker,",
"modification_date": "2023-10-04T10:42:07.191000Z",
"category": [
12
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 223,
"key": "dirty-vanity",
"unprotect_id": "U1242",
"name": "Dirty Vanity",
"description": "Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process. \r\n\r\nIt uses the `RtlCreateProcessReflection` or `NtCreateProcess[Ex]` primitives, along with the `PROCESS_VM_OPERATION`, `PROCESS_CREATE_THREAD`, and `PROCESS_DUP_HANDLE` flags to reflect and execute code in a new process. \r\n\r\nThe technique also makes use of various methods, such as `NtCreateSection` and `NtMapViewOfSection`, `VirtualAllocEx` and `WriteProcessMemory`, and `NtSetContextThread` (also known as Ghost Writing), to write the injected code into the new process. \r\n\r\nThis technique is designed to evade detection by endpoint security solutions, as the injected code appears to have been written to the new process, rather than being injected from an external source.",
"resources": "https://github.com/deepinstinct/Dirty-Vanity\nhttps://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf",
"creation_date": "2022-12-18T03:19:30.703000Z",
"tags": "Process injection,\r\nWindows forking,\r\nProcess reflection,\r\nSnapshotting,\r\nRtlCreateProcessReflection,\r\nNtCreateProcess,\r\nNtCreateProcessEx,\r\nFork,\r\nExecute,\r\nPROCESS_VM_OPERATION,\r\nPROCESS_CREATE_THREAD,\r\nPROCESS_DUP_HANDLE,\r\nNtCreateSection,\r\nNtMapViewOfSection,\r\nVirtualAllocEx,\r\nWriteProcessMemory\r\nNtSetContextThread,\r\nGhost Writing,",
"modification_date": "2023-10-04T10:43:30.875000Z",
"category": [
4
],
"rules": [],
"attachments": [
"21196959-579d-4561-b450-0f3453f4e91d"
],
"featured_api": [
3,
4,
6,
7,
24,
381,
425
],
"contributors": []
},
{
"id": 222,
"key": "mark-of-the-web-motw-bypass",
"unprotect_id": "U0517",
"name": "Mark-Of-The-Web (MOTW) Bypass",
"description": "Mark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer. When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream to indicate from which zone the file originates. It is used on Windows OS to trigger a Windows Defender SmartScreen detection and raise an alert to the user about the file. \r\n\r\nThe following ZoneId values may be used in a Zone.Identifier ADS:\r\n\r\n* 0 Local computer\r\n* 1 Local intranet\r\n* 2 Trusted sites\r\n* 3 Internet\r\n* 4 Restricted sites\r\n\r\nIn some cases, the Alternate Data Stream will be `SmartScreen` with the value `anaheim`. To bypass this security feature malware authors can use file format that does not manage the MOTW such as ISO or VHD file. \r\n\r\nUsing `git clone` can also be an alternative as a file cloned from GitHub with the Git client does not have a Zone.Identifier ADS.",
"resources": "https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\nhttps://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
"creation_date": "2022-10-20T01:29:37.644000Z",
"tags": "#MOTW",
"modification_date": "2023-10-04T10:42:22.593000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 221,
"key": "tamper-dll-export-names-getprocaddress-spoofing",
"unprotect_id": "U1241",
"name": "Tamper DLL Export Names & GetProcAddress Spoofing",
"description": "When a process is running, it is possible to change the results of the call to `GetProcAddress` API, for the exported functions of a module along with modifying the export's offsets and name at runtime. \r\n\r\nFor example, the offset of `kernel32.dll's` function `VirtualAlloc` can be change to the offset of another function. When `VirtualAlloc` is called (after getting its address from `GetProcAddress`), the second function will be called instead. \r\n\r\nTo achieve this, it is possible to use the WINAPI `MapAndLoad` from `ImageHlp.h`, then use `ImageDirectoryEntryToData` to get the list of exports. Then the `ImageRvaToVa` API can be used to retrieve each exported functions names offset; if desired the export name can be overwritten, resulting in calls to `GetProcAddress` with that export name to fail or be directed to another function.",
"resources": "",
"creation_date": "2022-08-11T10:08:44.579000Z",
"tags": "",
"modification_date": "2022-12-06T02:29:18.282000Z",
"category": [
4
],
"rules": [
122
],
"attachments": [],
"featured_api": [
3,
7,
381,
404,
425
],
"contributors": []
},
{
"id": 220,
"key": "hijack-execution-flow-dll-search-order-hijacking",
"unprotect_id": "T1574.001",
"name": "Hijack Execution Flow: DLL Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\r\n\r\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. \r\n\r\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.\r\n\r\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
"resources": "https://attack.mitre.org/techniques/T1574/001/\nhttps://pentestlab.blog/2017/03/27/dll-hijacking/\nhttps://itm4n.github.io/windows-dll-hijacking-clarified/\nhttps://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0\nhttps://github.com/Sh0ckFR/DLLirant",
"creation_date": "2022-07-25T09:16:49.633000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nexecute malicious payloads,\r\ntrojan dynamic-link library files (DLLs) ,\r\nDLL preloading,\r\nbinary planting attacks,\r\nmimic legitimate DLL,\r\nDLL redirection,",
"modification_date": "2023-10-04T10:43:51.456000Z",
"category": [
10
],
"rules": [
123
],
"attachments": [],
"featured_api": [
2,
249
],
"contributors": []
},
{
"id": 219,
"key": "dll-proxying",
"unprotect_id": "U1240",
"name": "DLL Proxying",
"description": "DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL. \r\n\r\nWhen a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts as a proxy for the legitimate DLL. The malicious DLL will redirect function calls to the legitimate DLL, allowing the malware to execute its own code and perform malicious actions without the program realizing that it is not the legitimate DLL. \r\n\r\nThis technique allows the malware to operate stealthily and evade detection by security software, as the malicious DLL is designed to mimic the legitimate DLL. This makes it difficult for security software to differentiate between the legitimate and malicious DLLs, allowing the malware to continue to operate undetected.",
"resources": "https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence\nhttps://itm4n.github.io/dll-proxying/\nhttps://github.com/Sh0ckFR/DLLirant",
"creation_date": "2022-07-25T09:10:00.495000Z",
"tags": "DLL proxying,\r\nCode obfuscation,\r\nPersistence,\r\nDLL redirection,\r\nStealth operation,",
"modification_date": "2023-10-04T10:43:33.827000Z",
"category": [
4
],
"rules": [
124
],
"attachments": [],
"featured_api": [],
"contributors": [
19
]
}
]
}
