- Email: info@clearinfosec.com
- 1800 760 5656
Modern defense strategies heavily rely on tactics, techniques, and procedures (TTPs) as a stable framework for identifying cyber threats. Unlike indicators of compromise (IOCs), TTPs are more enduring, providing a consistent foundation to detect specific threats. Based on ANY.RUN’s Q3 2024 malware trends report, here are some of the most frequently utilized techniques, illustrated through real-world cases.
By disrupting Windows Event Logging, attackers prevent the recording of key details about their activities, such as login attempts and system changes. Without these logs, security teams face gaps in data, making it harder to trace malicious behavior. Common manipulation tactics include altering registry keys, stopping services with commands like “net stop eventlog,” and modifying group policies. Since many detection tools depend on log analysis to identify unusual actions, malware can evade detection for extended periods.
To detect malware in real-time and understand its behavior, it’s essential to execute it in a controlled environment while monitoring system and network activity. By tracking malicious actions, such as altering system logs or disabling security features like Windows Event Logging, security professionals can identify indicators of compromise. This approach helps in pinpointing the malware’s operational patterns and objectives, allowing for effective response and mitigation of potential threats within the network or system environment.
Check out this session showing how XWorm, a prevalent remote access trojan (RAT), utilizes tactic T1562.002.
It alters the registry to disable trace logs for RASAPI32, the component managing remote access connections on the system.
By adjusting registry settings like ENABLEAUTOFILETRACING for RASAPI32 to 0, attackers effectively block log generation, which hinders security tools from detecting suspicious activity.
This analysis focuses on a BlankGrabber sample, a type of malware designed to steal sensitive information from compromised systems. Upon execution, the malware launches multiple processes, including PowerShell, to alter system settings and avoid detection by security tools. It specifically targets vulnerabilities to disable protective measures and ensure it remains undetected. By modifying key configurations, the malware can bypass security monitoring and maintain control over the infected system, allowing it to exfiltrate sensitive data without triggering alarms.
For example, BlankGrabber uses PowerShell to disable key security features of Windows, such as the Intrusion Prevention System (IPS), OAV Protection, and Real-time Monitoring services.
Attackers often misuse the Windows Command Shell (cmd.exe), a tool intended for legitimate administrative tasks, to execute malicious commands. Its common use allows harmful actions to blend in with regular system activity, making detection harder. By running scripts or downloading malware, attackers can exploit cmd.exe, and even use obfuscation techniques to evade security measures. Since it’s a trusted utility, malicious commands often go unnoticed by real-time monitoring systems.
Lumma uses the Windows Command Shell (cmd) to execute malicious commands, delivering its payload while evading detection. It launches applications with unusual extensions and modifies executable content, masking its true intentions. This method helps Lumma avoid security measures and ensures it remains undetected on the system, allowing it to steal sensitive data without triggering alarms.
4. Exploiting Registry Run Keys (T1547.001)
Attackers ensure malware runs at startup by adding entries to registry keys that trigger program launches or by placing files in the Startup Folder, which Windows automatically executes during login. This method grants persistent access, allowing attackers to continue malicious activities such as data theft, lateral movement, or further system exploitation.
This technique also helps malware appear harmless initially, reducing the chance of being flagged during behavioral analysis. Additionally, delays can synchronize various components of the malware or manage dependencies in its infection process, ensuring each step happens in the correct order before the full attack is launched.
Dark Crystal RAT is a malware family that uses time-based evasion techniques to remain undetected on compromised systems. By delaying the execution of malicious actions, it can avoid detection by security tools, allowing the malware to operate quietly without triggering alarms. This method helps it bypass sandboxes and behavioral analysis systems that monitor for suspicious activity during a limited observation window.
In this sandbox session, DCRAT remains idle for 2 seconds (2000 milliseconds) before proceeding with its execution. This brief delay likely ensures that all necessary files for the next phase of the infection are fully prepared and ready to run. This tactic helps synchronize the malware’s components, ensuring a smoother execution process without triggering detection mechanisms.
DCRAT also uses the legitimate tool w32tm.exe as part of its time-based evasion strategy. This tool is typically used for time synchronization, but in this case, it serves to introduce a delay in the malware’s execution process, helping it avoid detection and making it harder for security systems to identify malicious behavior. This tactic is another example of how DCRAT manipulates system tools to evade security monitoring.