Tamper-Protection Bypass × LoGiC.NET 1.5

A publicly-reported instance of Tamper-Protection Bypass bypassing LoGiC.NET 1.5, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

LoGiC.NET 1.5

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Medium

Status

poc

Disclosed

2024-06-17

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-06-17 · original source · via exa

Reported as

tool targets the anti-tamper feature of LoGiC.NET 1.5... removes the anti-tamper checks, defeating the protection

Mechanism

The tool targets the anti-tamper feature of LoGiC.NET 1.5, a .NET obfuscator. By processing the obfuscated executable, it removes the anti-tamper checks, defeating the protection that prevents tampering or debugging. This exposes the underlying code to analysis or modification.

Detection & mitigation

Monitor for unexpected modifications to .NET assemblies, such as changes in file hashes or removal of anti-tamper checks, using file integrity monitoring (FIM). Mitigate by applying application whitelisting and ensuring obfuscation tools are updated to versions with stronger protections.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco McAfee Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.