Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used techniques, according to ANY.RUN’s Q3 2024 report on malware trends, complete with real-world examples.
Disabling of Windows Event Logging (T1562.002)
Disrupting Windows Event Logging helps attackers prevent the system from recording crucial information about their malicious actions.
Without event logs, important details such as login attempts, file modifications, and system changes go unrecorded, leaving security solutions and analysts with incomplete or missing data.
Windows Event Logging can be manipulated in different ways, including by changing registry keys or using commands like “net stop eventlog”. Altering group policies is another common method.
Since many detection mechanisms rely on log analysis to identify suspicious activities, malware can operate undetected for longer periods.
Example: XWorm Disables Remote Access Service Logs
To detect, observe, and analyze different types of malicious TTPs in a safe environment, we can use ANY.RUN’s Interactive Sandbox. The service provides highly-configurable Windows and Linux VMs that let you not only detonate malware and see its execution in real time, but also interact with it just like on a standard computer.
Thanks to tracking of all system and network activities, ANY.RUN lets you easily and quickly identify malicious actions like the disabling of Windows Event Logging.
ANY.RUN sandbox session showing the results of XWorm detonation |
Check out this analysis session where XWorm, a widespread remote access trojan (RAT), uses T1562.002.
The sandbox shares details about the malicious process and its registry modification |
Specifically, it modifies the registry to disable trace logs for RASAPI32, which is responsible for managing remote access connections on the system.
The malware disables logs by modifying several registry names |
By setting ENABLEAUTOFILETRACING and other registry names related to RASAPI32 to 0, the attacker ensures that logs are not generated. This makes it harder for security software like antiviruses to identify the incident.
Analyze malware and phishing threats in ANY.RUN’s cloud sandbox for free.
PowerShell Exploitation (T1059.001)
PowerShell is a scripting language and command-line shell built into Windows. Attackers typically exploit it to perform a variety of malicious tasks, including manipulating system settings, exfiltrating data, and establishing persistent access to compromised systems.
When using PowerShell’s extensive capabilities, threat actors can utilize obfuscation techniques, such as encoding commands or advanced scripting methods, to bypass detection mechanisms.
Example: BlanGrabber Uses PowerShell to Disable Detection
Consider this analysis of a BlankGrabber sample, a malware family used for stealing sensitive data from infected systems. After the execution, the malicious program launches several processes, including PowerShell, to change the system settings to avoid detection.
The sandbox shows all the operations performed by BlankGrabber via PowerShell |
ANY.RUN instantly identifies all the malware’s activities, presenting them in detail. Among other things, BlankGrabber uses PowerShell to disable the Intrusion Prevention System (IPS), OAV Protection, and Real-time Monitoring services of the Windows OS. The sandbox also shows the command line contents, displaying the actual commands utilized by the malware.
Abuse of Windows Command Shell (T1059.003)
Attackers also commonly exploit the Windows Command Shell (cmd.exe), another versatile tool used for legitimate administrative tasks, such as managing files and running scripts. Its widespread use makes it an attractive choice for hiding harmful actions.
By using the command shell, attackers can execute a variety of malicious commands, from downloading payloads from remote servers to executing malware. The shell can also be used to execute PowerShell scripts to perform further malicious activities.
Since cmd.exe is a trusted and widely used utility, malicious commands can blend in with legitimate activity, making it harder for security systems to identify and respond to threats in real-time. Attackers can also use obfuscation techniques within their commands to further avoid detection.
Example: Lumma Employs CMD in Payload Execution
Take a look at the following analysis of Lumma, a widely used information stealer that has been active since 2022.
The sandbox assigns a score of 100 to the cmd.exe process, marking it as malicious |
ANY.RUN gives us an in-depth look into the operations performed by the malware via cmd. These include starting an application with an unusual extension and making changes to the executable content, which indicate that the process is abused by attackers.
Modification of Registry Run Keys (T1547.001)
To ensure that the malicious software runs automatically whenever a system starts, attackers add entries to specific registry keys that are designed to launch programs at startup.
Malicious files can also be placed in the Startup Folder, which is a special directory that Windows automatically scans and executes programs when the user logs in.
By using Registry Run Keys and the Startup Folder, attackers can maintain long-term persistence, allowing them to continue their malicious activities, such as data exfiltration, lateral movement within a network, or further exploitation of the system.
Example: Remcos Gains Persistence via RUN Key
Here is an example of this technique performed by Remcos. In this case, the registry key being modified is HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN.
The sandbox assigns relevant TTPs to different malicious actions |
By adding an entry to the RUN key in the registry, the Remcos backdoor ensures that it will automatically start on every fresh login. This allows the malware to maintain persistence on the infected system.
Time Based Evasion (T1497.003)
Time-based evasion is a technique used by malware to avoid detection by security solutions that rely on sandboxing. Many sandboxes have limited monitoring periods, often just a few minutes. By delaying the execution of malicious code, malware can avoid detection during this window.
Another common purpose of this TTP is making the malware appear benign during initial analysis, reducing the likelihood of being flagged as suspicious. Delaying execution can make it harder for behavioral analysis tools to correlate the initial benign behavior with the subsequent malicious activities.
Malware often relies on multiple components or files to carry out its infection process. Delays can help synchronize the execution of different parts of the malware. For example, if the malware needs to download additional components from a remote server, a delay can ensure that these components are fully downloaded and ready before the main payload is executed.
Some malicious activities might depend on the successful completion of other tasks. Introducing delays can help manage these dependencies, ensuring that each step in the infection process is completed in the correct order.
Example: DCRAT Delays Execution During Attack
Dark Crystal RAT is one of many malware families that rely on time-based evasion techniques to remain under the radar on the infected system.
ANY.RUN offers a built-in MITRE ATT&CK Matrix for tracking TTPs identified during analysis |
In the context of the following sandbox session, we can observe how DCRAT remains asleep for mere 2000 milliseconds, which is 2 seconds, before continuing execution. This is likely done to ensure that all the files needed for the next stage of the infection process are ready for execution.
The ANY.RUN sandbox displays details of each malicious process |
Another of DCRAT’s time-based evasion attempts detected by ANY.RUN is the use of the legitimate tool w32tm.exe to delay the execution process.
Analyze Malware with ANY.RUN Sandbox
ANY.RUN offers a cloud-based sandbox for analyzing malware and phishing threats, providing quick and precise results to improve your investigations. With its advanced features, you can freely interact with submitted files and URLs, as well as the system, to go deeper into the threat analysis.
- Simply upload a file or URL to start the analysis process
- Threat detection takes less than 60 seconds
- The service quickly extracts deep insights into malware behavior and generates threat reports
- Type, open links, download attachments, run programs all inside the VM
- Use private analysis mode and team collaboration tools
Integrate ANY.RUN’s sandbox into your organization’s workflow with a 14-day free trial to try everything it has to offer.