GCIH · Question #627
Which endpoint security bypass technique modifies the assembly of an executable?
The correct answer is D. Ghostwriting. Ghostwriting is an endpoint bypass technique that directly modifies the assembly-level instructions of a legitimate executable to embed malicious behavior while evading signature-based detection.
Question
Which endpoint security bypass technique modifies the assembly of an executable?
Options
- ALiving Off the Land
- BCode signing
- CKeyed payload
- DGhostwriting
How the community answered
(29 responses)- A3% (1)
- B3% (1)
- D93% (27)
Why each option
Ghostwriting is an endpoint bypass technique that directly modifies the assembly-level instructions of a legitimate executable to embed malicious behavior while evading signature-based detection.
Living Off the Land uses legitimate, pre-installed system binaries such as PowerShell or certutil for malicious purposes without modifying their underlying assembly code.
Code signing is a security control that uses cryptographic certificates to verify software authenticity; it is a defensive mechanism, not an attack technique that modifies executables.
A keyed payload is designed to execute only under specific environmental conditions or with a decryption key, used to evade sandbox analysis, not to alter the assembly of an existing executable.
Ghostwriting involves rewriting or injecting instructions directly into the compiled assembly of an existing legitimate binary, altering its behavior without changing its external appearance in ways that standard scanners detect. Because the modified file may still appear to originate from a trusted source or match a superficially known-good profile, endpoint security products relying on signature matching can be bypassed. This distinguishes it from techniques that simply leverage existing tools or wrap payloads externally.
Concept tested: Ghostwriting assembly-level binary modification bypass
Source: https://attack.mitre.org/techniques/T1027/
Topics
Community Discussion
No community discussion yet for this question.