CheckPointSW/Evasions CheckPointSW/Evasions

  • Stars
    star
    374
  • Rank 114,346 (Top 3 %)
  • Language
    HTML
  • License
    MIT License
  • Created about 5 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CheckPointSW/Evasions
github

CheckPointSW

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Evasions encyclopedia gathers methods used by malware to evade detection when run in virtualized environment. Methods are grouped into categories for ease of searching and understanding. Also provided are code samples, signature recommendations and countermeasures within each category for the described techniques.

Evasions

Words of gratitude

This encyclopedia wouldn't be possible without invaluable assistance of the following Check Point researchers:

  • Aliaksandr Trafimchuk (@a14xt)
  • Alexey Bukhteyev

Site

Compiled encyclopedia resides here: https://evasions.checkpoint.com.

Description

As malicious threats evolve, the necessity in automated solutions to analyze such threats emerges. It's a very common case when malware samples are executed in some kind of virtualized environment.

These environments differ from usual host systems by a huge amount of artifacts: non-common files, registry keys, system objects, etc. By examining such artifacts malware samples are able to say if they are run in a virtualized environment. Depending on the answer to this question, malware will continue its usual execution thus giving the researchers an opportunity to monitor its behavior - or will behave itself in an unexpected way and reveal nothing about its behavior.

If the latter was the case, we say that malware has successfully applied evasion technique, or simply evasion.

In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later.

Within each category the reader will find the following information:

  • description of the technique
  • code sample showing its usage
  • signature recommendations to track attempts to apply this technique
  • table with breakdown of which particular environments are detected with the help of certain constants
  • possible countermeasures

A lot of solutions with implemented techniques exist in open-source community. These solutions are used throughout the encyclopedia in the form of code excerpts from them. We are giving credits to open-source projects from where code sampes were taken:

It's important to add that Check Point researchers have produced their own tool called InviZzzible.

If you want to contribute to this encyclopedia, you're more than welcome to create pull requests here.

So check out all the repositories, browse through evasions encyclopedia and enjoy the journey!

Raman Ladutska (@DaCuriousBro)

More Repositories

1

Karta

Karta - source code assisted fast binary matching plugin for IDA
Python
854
star
2

InviZzzible

InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them.
C++
530
star
3

android_unpacker

A (hopefully) generic unpacker for packed Android apps.
Shell
355
star
4

showstopper

ShowStopper is a tool for helping malware researchers explore and test anti-debug techniques or verify debugger plugins or other solutions that clash with standard anti-debug methods.
C++
193
star
5

Scout

Scout - Instruction based research debugger (a poor man's debugger)
C
149
star
6

Cuckoo-AWS

Extension to Cuckoo Sandbox open source projects, adds support to AWS cloud functionalities and enables running emulation on auto-scaling infrastructure
JavaScript
134
star
7

CloudGuardIaaS

Check Point CloudGuard Network Security repository containing solution templates, Terraform templates, tools and scripts for deploying and configuring CloudGuard Network Security products.
HCL
94
star
8

cp_mgmt_api_python_sdk

Check Point API Python Development Kit simplifies the use of the Check Point Management APIs.
Python
93
star
9

cpAnsible

Ansible module provides control over a Check Point Management server using Check Point's web-services APIs.
Python
67
star
10

ExportImportPolicyPackage

Check Point ExportImportPolicyPackage tool enables you to export a policy package from a Management database to a .tar.gz file, which can then be imported into any other Management database. The tool is supported for version R80.10 and above.
Python
58
star
11

QueryOrientedProgramming

Query Oriented Programming (QOP) gadgets for SQLite-based exploitation
Python
49
star
12

Anti-Debug-DB

Anti-Debug encyclopedia contains methods used by malware to verify if they are executed under debugging. It includes the description of various anti-debug tricks, their implementation, and recommendations of how to mitigate the each trick.
HTML
45
star
13

SmartMove

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.
C#
42
star
14

CheckPointAnsibleMgmtCollection

This Ansible collection provides control over a Check Point Management server using Check Point's web-services APIs.
Python
39
star
15

Cyber-Research

General purpose repository for miscellaneous scripts, pcaps and malware IOCs that we share with the info-sec research community
Python
37
star
16

MacOS-MalwarePedia

HTML
32
star
17

android_appfuzz

Shell
30
star
18

ShowPolicyPackage

Check Point ShowPolicyPackage tool shows the content of a policy package (layers, rulebase, objects) over HTML pages.
Java
29
star
19

terraform-provider-checkpoint

Terraform provider for Check Point
Go
27
star
20

reputation-service-api

Leverage the Check Point’s threat intelligence to enrich your SIEM and SOAR solutions and to secure your business applications and websites by using simple RESTful APIs.
Java
27
star
21

PolicyCleanUp

Check Point PolicyCleanUp tool allows automatic cleanup of your policy based on hits count.
Python
25
star
22

smart-console-extensions

An extension can use JavaScript to interact with SmartConsole. The interactions provide access to information, such as the extension location context, and can perform certain basic operations. For example, navigate to a rule. Interactions can return data asynchronously by matching callbacks.
TypeScript
22
star
23

CheckPointAnsibleGAIACollection

An Ansible collection provides control over a Check Point machine using Check Point's web-services APIs.
Python
20
star
24

charts

Deploy Kubernetes Helm Charts for Check Point CloudGuard
Smarty
18
star
25

ExportObjects

Check Point ExportObjects tool enables you to export specific types of objects from a R80.10 and above Management database to a .csv file, which can then be imported into any other R80.10 and above Management database.
Python
15
star
26

UsefulManagementApiTools

Check Point Useful Management API Tools contain scripts and tools that were used as solutions for customers.
Python
12
star
27

dynobj

Python
8
star
28

flash_instrumentation

ActionScript
8
star
29

Infinity-Next

Python
8
star
30

cpmonitor

CPMonitor is a utility targeted to analyze traffic captured by tcpdump (www.tcpdump.org) / snoop (http://snoopwpf.codeplex.com/).
C
8
star
31

cp-mgmt-api-csharp-sdk

Check Point API C# Development Kit
C#
6
star
32

terraform-checkpoint-dynobj-nia

Check Point Software Technologies Dynamic Objects module for Network Infrastructure Automation (NIA)
Shell
6
star
33

sddc

Python
6
star
34

cp-mgmt-api-go-sdk

Check Point API Go Development Kit simplifies the use of the Check Point Management APIs
Go
6
star
35

terraform-provider-infinity-next

Infinity Next's Terraform Provider for managing CloudGuard AppSec and other Infinity Next security application using Terraform.
Go
6
star
36

ChangedPolicies

Check Point ChangedPolicies tool allows the user to know which policies were affected by changes that were made in the last published session.
Python
5
star
37

teapi

An example of the Threat Prevention API implementation for Java & Python
Python
4
star
38

sourceguard-action

SourceGuard is designed to leverage Check Point's varied prevention technologies and services, providing source-code security and visibility. With a simple, cross-platform CLI tool users can customize exclusions and control an ignore list with easy integration into any pipeline.
4
star
39

chkp_nano_agents

C
3
star
40

infinity-next-terraform-cli

Utility CLI for the Infinity Next Terraform Provider
Go
3
star
41

cp-mgmt-api-java-sdk

Check Point API Java Development Kit simplifies the usage of the Check Point R80.10 Management APIs.
Java
3
star
42

LocalToGlobal

Check Point LocalToGlobal tool enables you to copy objects from a local domain to the global domain.
Python
2
star
43

cp-mgmt-api-typescript-sdk

Check Point API Typescript Development Kit simplifies the use of the Check Point Management APIs. The kit contains the API library files, and sample files demonstrating the capabilities of the library.
TypeScript
2
star
44

appliance_tpapi

Client side utilities for using Check Point Threat Prevention API calls to an appliance.
Python
2
star
45

harmony-endpoint-management-js-ts-sdk

Check Point's Harmony Endpoint management SDK for JavaScript ecosystem
TypeScript
2
star
46

spectral-github-action

Automated Secrets, Misconfiguration, IaC Misconfiguration detection, and OSS by Check Point CloudGuard
JavaScript
1
star
47

infinitynext-mgmt-api-resources

Resources and example for using Check Point Infinity Next API. For API reference and GraphiQL tool, login into the product and navigate to Support->API Content
1
star
48

Check_Point_App_for_Splunk

CSS
1
star
49

sdn

Python
1
star
50

harmony-endpoint-management-py-sdk

Check Point's Harmony Endpoint management SDK for Python ecosystem
Python
1
star