Tag: Mitre Attack

Johnny Shaw demonstrated a defense evasion technique known as process herpaderping in which an attacker is able to inject malicious code into the mapped memory segment of a legit process before the inspection of the created process actually begins. This helps an attacker in bypassing defenses and also privilege escalation. While MITRE hasn’t associated a […]

Eugene Kogan and Tal Liberman presented a technique for defense evasion called “Process Doppelganging” in Blackhat EU 2017 which can be found here and a video of the session here. In this method, we use NTFS transactions to create a dummy file containing our payload, which creates a new NTFS memory section with our payload. […]

In July 2011, John Leitch of autosectools.com talked about a technique he called process hollowing in his whitepaper here. Ever since then, many malware campaigns like Bandook and Ransom.Cryak, and various APTs have utilized Process Hollowing for defense evasion and privilege escalation. In this article, we aim to discuss the technical concepts utilized behind the […]

According to MITRE, “Adversaries can use the COM system to insert malicious code that executes in place of legitimate software by hijacking COM references and relationships as a means for persistence.” To hijack a COM object, an attacker must modify certain registry hives and replace the reference to a legitimate system component with a malicious […]

During Red Team assessments, after an attacker has compromised a system, they often move laterally through the network, gaining more relevant information on other systems. This lateral movement is possible through the use of various binaries, services, and processes. In this article, we will focus solely on Lateral Movement using Remote Services, i.e., services that […]

Parent PID spoofing is an access token manipulation technique that helps an attacker evade defense mechanisms such as heuristic detection by spoofing the PPID of a malicious file to that of a legitimate process like explorer.exe. Additionally, attackers use native API calls to explicitly assign the PID, typically through the CreateProcess call in C++. This […]

According to MITRE, adversaries often use Windows persistence techniques such as shortcut modification to maintain access or escalate privileges. Consequently, in this blog, we explore how modifying LNK shortcuts helps attackers gain persistent access to compromised systems. Shortcut modification is a technique where an attacker replaces the absolute path of an executable tied to a […]

Gabriel Landau released a post on Elastic Security here which talks about a technique through which antivirus evasion was found to be possible. The technique deals with creating a ghost process which is a term used by the author to describe the mechanism of deleting the payload from the disk before running it, essentially making […]

 An attacker can exploit Windows Task Scheduler to schedule malicious programs for initial or recurrent execution. For persistence, the attacker typically uses Windows Task Scheduler to launch applications at system startup or at predefined intervals. Furthermore, the attacker executes remote code under the context of a specified account to achieve Privilege Escalation. Table of Content […]

In this post, we explore Windows Event Logging defense evasion techniques used by attackers to avoid detection. By disabling, bypassing, or tampering with event logs using tools and scripts, threat actors can cover their tracks and stay hidden from security teams. Understanding these techniques is crucial for defenders to strengthen monitoring and response capabilities. Defense […]