Scribd Logo
Upload

Welcome to Scribd!

  • 4 views

    Defense Evasion

    Uploaded by

    rakivanatan
    This document lists various techniques for bypassing security controls and maintaining privileged access on a system. It includes abusing elevation mechanisms like sudo, modifying system images and firmware, hiding artifacts, impersonating tokens, and modifying system files and policies to evade detection. Many of the techniques involve abusing legitimate system components and mechanisms to avoid detection by security solutions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Defense Evasion

    Uploaded by

    rakivanatan
    4 views1 page
    This document lists various techniques for bypassing security controls and maintaining privileged access on a system. It includes abusing elevation mechanisms like sudo, modifying system images and firmware, hiding artifacts, impersonating tokens, and modifying system files and policies to evade detection. Many of the techniques involve abusing legitimate system components and mechanisms to avoid detection by security solutions.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document lists various techniques for bypassing security controls and maintaining privileged access on a system. It includes abusing elevation mechanisms like sudo, modifying system images and firmware, hiding artifacts, impersonating tokens, and modifying system files and policies to evade detection. Many of the techniques involve abusing legitimate system components and mechanisms to avoid detection by security solutions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    4 views1 page

    Defense Evasion

    Uploaded by

    rakivanatan
    This document lists various techniques for bypassing security controls and maintaining privileged access on a system. It includes abusing elevation mechanisms like sudo, modifying system images and firmware, hiding artifacts, impersonating tokens, and modifying system files and policies to evade detection. Many of the techniques involve abusing legitimate system components and mechanisms to avoid detection by security solutions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    Setuid and Setgid

    Bypass User Account Control


    T1548 - Abuse Elevation Control Mechanism Sudo and Sudo Caching

    Elevated Execution with Prompt

    Patch System Image


    T1202 - Indirect Command Execution
    Downgrade System Image T1601 - Modify System Image

    Hidden Files and Directories


    Network Address Translation Traversal
    T1599 - Network Boundary Bridging Hidden Users

    Hidden Window

    Binary Padding NTFS File Attributes

    Software Packing Hidden File System

    Steganography T1564 - Hide Artifacts Run Virtual Instance

    Compile After Delivery VBA Stomping

    Indicator Removal from Tools Email Hiding Rules


    T1027 - Obfuscated Files or Information
    HTML Smuggling Resource Forking

    Dynamic API Resolution Process Argument Spoofing

    Stripped Payloads
    Token Impersonation/Theft
    Embedded Payloads
    Create Process with Token

    Make and Impersonate Token


    T1647 - Plist File Modification T1134 - Access Token Manipulation
    Parent PID Spoofing

    SID-History Injection
    System Firmware

    Component Firmware
    Invalid Code Signature
    Bootkit
    T1542 - Pre-OS Boot Right-to-Left Override
    ROMMONkit
    Rename System Utilities
    TFTP Boot
    Masquerade Task or Service
    T1036 - Masquerading
    Match Legitimate Name or Location
    Dynamic-link Library Injection
    Space after Filename
    Portable Executable Injection
    Double File Extension
    Thread Execution Hijacking

    Asynchronous Procedure Call

    Thread Local Storage T1197 - BITS Jobs

    Ptrace System Calls

    Proc Memory T1055 - Process Injection T1612 - Build Image on Host


    Extra Window Memory Injection

    Process Hollowing T1622 - Debugger Evasion


    Process Doppelgänging

    VDSO Hijacking
    T1140 - Deobfuscate/Decode Files or Information
    ListPlanting

    T1610 - Deploy Container


    T1620 - Reflective Code Loading

    T1006 - Direct Volume Access


    T1207 - Rogue Domain Controller

    Group Policy Modification


    T1014 - Rootkit
    T1484 - Domain Policy Modification Domain Trust Modification

    Gatekeeper Bypass
    Environmental Keying
    Code Signing
    T1480 - Execution Guardrails

    SIP and Trust Provider Hijacking

    Install Root Certificate T1553 - Subvert Trust Controls T1211 - Exploitation for Defense Evasion
    Mark-of-the-Web Bypass MITRE ATT&CK-Defense Evasion
    Code Signing Policy Modification Windows File and Directory Permissions Modification
    T1222 - File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification
    Compiled HTML File

    Control Panel DLL Search Order Hijacking


    CMSTP DLL Side-Loading

    InstallUtil Dylib Hijacking

    Mshta Executable Installer File Permissions Weakness

    Msiexec Dynamic Linker Hijacking


    Odbcconf Path Interception by PATH Environment Variable
    T1218 - System Binary Proxy Execution
    Regsvcs/Regasm T1574 - Hijack Execution Flow Path Interception by Search Order Hijacking

    Regsvr32 Path Interception by Unquoted Path

    Rundll32 Services File Permissions Weakness

    Verclsid Services Registry Permissions Weakness


    Mavinject COR_PROFILER

    MMC KernelCallbackTable

    PubPrn Disable or Modify Tools


    T1216 - System Script Proxy Execution
    Disable Windows Event Logging

    Impair Command History Logging


    T1221 - Template Injection
    Disable or Modify System Firewall

    Indicator Blocking
    Port Knocking T1562 - Impair Defenses
    Disable or Modify Cloud Firewall
    Socket Filters T1205 - Traffic Signaling
    Disable Cloud Logs

    Safe Mode Boot


    MSBuild
    T1127 - Trusted Developer Utilities Proxy Execution Downgrade Attack

    Clear Windows Event Logs


    T1535 - Unused/Unsupported Cloud Regions
    Clear Linux or Mac System Logs

    Clear Command History


    Application Access Token
    File Deletion
    Pass the Hash
    Network Share Connection Removal
    Pass the Ticket T1550 - Use Alternate Authentication Material T1070 - Indicator Removal
    Timestomp
    Web Session Cookie
    Clear Network Connection History and Configurations

    Default Accounts Clear Mailbox Data

    Domain Accounts Clear Persistence

    Local Accounts T1078 - Valid Accounts


    Domain Controller Authentication
    Cloud Accounts
    Password Filter DLL

    System Checks Pluggable Authentication Modules

    User Activity Based Checks Network Device Authentication


    T1497 - Virtualization/Sandbox Evasion T1556 - Modify Authentication Process
    Time Based Evasion Reversible Encryption

    Multi-Factor Authentication
    Reduce Key Space Hybrid Identity
    Disable Crypto Hardware T1600 - Weaken Encryption
    Create Snapshot

    Create Cloud Instance


    T1220 - XSL Script Processing
    T1578 - Modify Cloud Compute Infrastructure Delete Cloud Instance

    Revert Cloud Instance

    T1112 - Modify Registry

    @hackinarticles https://github.com/Ignitetechnologies https://in.linkedin.com/company/hackingarticles

    You might also like