nerdexam
GIAC

GCIH · Question #627

Which endpoint security bypass technique modifies the assembly of an executable?

The correct answer is D. Ghostwriting. Ghostwriting is an endpoint bypass technique that directly modifies the assembly-level instructions of a legitimate executable to embed malicious behavior while evading signature-based detection.

Malware Analysis & Advanced Persistent Threats

Question

Which endpoint security bypass technique modifies the assembly of an executable?

Options

  • ALiving Off the Land
  • BCode signing
  • CKeyed payload
  • DGhostwriting

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    3% (1)
  • D
    93% (27)

Why each option

Ghostwriting is an endpoint bypass technique that directly modifies the assembly-level instructions of a legitimate executable to embed malicious behavior while evading signature-based detection.

ALiving Off the Land

Living Off the Land uses legitimate, pre-installed system binaries such as PowerShell or certutil for malicious purposes without modifying their underlying assembly code.

BCode signing

Code signing is a security control that uses cryptographic certificates to verify software authenticity; it is a defensive mechanism, not an attack technique that modifies executables.

CKeyed payload

A keyed payload is designed to execute only under specific environmental conditions or with a decryption key, used to evade sandbox analysis, not to alter the assembly of an existing executable.

DGhostwritingCorrect

Ghostwriting involves rewriting or injecting instructions directly into the compiled assembly of an existing legitimate binary, altering its behavior without changing its external appearance in ways that standard scanners detect. Because the modified file may still appear to originate from a trusted source or match a superficially known-good profile, endpoint security products relying on signature matching can be bypassed. This distinguishes it from techniques that simply leverage existing tools or wrap payloads externally.

Concept tested: Ghostwriting assembly-level binary modification bypass

Source: https://attack.mitre.org/techniques/T1027/

Topics

#AV evasion#ghostwriting#binary modification#endpoint bypass

Community Discussion

No community discussion yet for this question.

Full GCIH Practice