Modern defense strategies heavily rely on tactics, techniques, and procedures (TTPs) as a stable framework for identifying cyber threats. Unlike indicators of compromise (IOCs), TTPs are more enduring, providing a consistent foundation to detect specific threats. Based on ANY.RUN’s Q3 2024 malware trends report, here are some of the most frequently utilized techniques, illustrated through real-world cases.
1. Disabling of Windows Event Logging (T1562.002)
By disrupting Windows Event Logging, attackers prevent the recording of key details about their activities, such as login attempts and system changes. Without these logs, security teams face gaps in data, making it harder to trace malicious behavior. Common manipulation tactics include altering registry keys, stopping services with commands like “net stop eventlog,” and modifying group policies. Since many detection tools depend on log analysis to identify unusual actions, malware can evade detection for extended periods.
XWorm Disables Remote Access Service Logs–
To detect malware in real-time and understand its behavior, it’s essential to execute it in a controlled environment while monitoring system and network activity. By tracking malicious actions, such as altering system logs or disabling security features like Windows Event Logging, security professionals can identify indicators of compromise. This approach helps in pinpointing the malware’s operational patterns and objectives, allowing for effective response and mitigation of potential threats within the network or system environment.
Check out this session showing how XWorm, a prevalent remote access trojan (RAT), utilizes tactic T1562.002.
It alters the registry to disable trace logs for RASAPI32, the component managing remote access connections on the system.