Aether shows the technique of exploitation that has been detected within the activity of exploits, along with the program that has been compromised.
Below you can find the different techniques monitored, as well as a brief description of these:
The Metasploit Framework is a testing platform that enables its users to create, test, and execute exploit code. If Panda products detect a metasploit shellcode signature, it appears as an Exploit/Metasploit exploit technique.
Reflective DLL injection uses reflective programming to load a library from memory into a host process without detection. If Panda products detect a reflective executable loading (for example, metasploit or cobalt strike), it appears as an Exploit/ReflectiveLoader exploit technique.
The asynchronous procedure call (APC) is a legitimate way to run code in a process thread that waits for data without consuming resources. To evade process-based defenses and possibly elevate privileges, attackers can use the APC queue to inject malicious code into a process. APC injection executes arbitrary code in the address space of a separate live process. If Panda products detect remote code injection by an APC, it appears as an Exploit/RemoteAPCInjection exploit technique.
Code injections occur when applications allow the dynamic execution of code instructions from untrusted data. An attacker can influence the behavior of the targeted application and modify it to get access to sensitive data. If Panda products detect the execution of code in pages without execution permissions (32-bits only), it appears as an Exploit/DynamicExec exploit technique.
Hooking refers to the interception of function calls, system events, or messages. The code snippets that perform these interceptions are called hooks. WatchGuard Endpoint Security products use hooks to monitor events in the operating system. If Panda products detect a hook bypass in a running function, it appears as an Exploit/HookBypass exploit technique.
Shellcode is a small piece of machine code used as the payload in the exploitation of a software vulnerability. Exploits commonly inject a shellcode into the target process before or at the same time as they exploit a vulnerability. If Panda products detect the execution of code on MEM_PRIVATE pages that does not correspond to a Portable Executable (PE), it appears as a ShellcodeBehavior exploit technique.
Return-oriented programming (ROP) is an exploit technique that enables attackers to control the call stack and program control flow. The attacker then executes machine instruction sequences that are already present in the machine memory. These instructions usually end in a return instruction and are located in a subroutine within an existing program or shared library code. If Panda products detect the execution of memory management APIs when the stack is out of the thread limits, it appears as an Exploit/ROP1 exploit technique.
Windows God Mode enables you to quickly access administrative tools, backup and restore options, and other important management settings from a single window. This includes Internet options. If Panda products detect God Mode in Internet Explorer, it appears as an Exploit/IE_GodMode exploit technique.
RunPE is a type of malware that hides code inside a legitimate process. It is sometimes referred to as a hollowing technique. If Panda products detect process hollowing techniques or RunPE, it appears as an Exploit/RunPE exploit technique.
Hackers commonly use reflective loaders to extract sensitive information, such as passwords and credentials, from system memory. If Panda products detect a PowerShell reflective loader in the computer, such as mimikatz, it appears as an Exploit/PsReflectiveLoader1.
Hackers commonly use reflective loaders to extract sensitive information, such as passwords and credentials, from system memory. If Panda products detect a PowerShell reflective loader in a remote computer (not the local computer), such as mimikatz, it appears as an Exploit/PsReflectiveLoader2.
Hackers commonly use reflective loaders to extract sensitive information, such as passwords and credentials, from system memory. If Panda products detect a NET reflective loader, such as Assembly.Load, it appears as an Exploit/NetReflectiveLoader exploit technique.
Covenant is a .NET collaborative command and control platform for cybersecurity professionals. If Panda products detect the Covenant framework, it appears as an exploit technique.
Adversaries can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). If Panda products detect an Lsass process memory dump, it appears as an exploit technique.
To evade process-based defenses or elevate privileges, attackers can try to inject malicious code into processes in the asynchronous procedure call (APC) queue. APC injection is a method that executes arbitrary code in a separate live process. If Panda products detect local code execution through APC, it appears as an Exploit/APC_Exec exploit technique.
Additionally, the possibility of excluding the detection of a technique for a specific program has been added. In this way, in the event that the client wants to allow, for whatever reason, an exception for a specific process or program, it can be done, and continue to protect the rest of the processes against this attempt at exploitation.
To do this, in the detection of the exploit, within the tooltip accessible from Action, there is the option Do not detect again.