May 15, 2019 MITRE ATT&CK
Tony Lambert Katie Nickels Greg Foss

Defense evasion: why is it so prominent & how can you detect it?

The rise of defense evasion among adversaries is due in large part to better detection and protection technologies and increased adoption rates. Attacks that once slipped trivially past network and endpoint defenders are now routinely caught, and this means that adversaries have to find some way of circumventing security controls.

We detect more threats in our customers’ environments that relate to defense evasion than any other MITRE ATT&CK™ tactic. Similarly, in a list of top techniques compiled by the ATT&CK team itself, only discovery techniques featured more prominently, and CrowdStrike says its Overwatch platform observes more techniques that fall under defense evasion every year.

Unfortunately, defense evasion presents security teams with something of a Catch-22 because, on a very basic level, you can’t detect or defend against what you can’t see. However, all is not lost. There are countless threat hunting and detection strategies for identifying evasive malware, and we plan to share an abundance of these in a May 28 webinar featuring Carbon Black and MITRE ATT&CK.

As a preview for our upcoming webinar, we sent the following questions to the webinar panelists—Red Canary detection engineer Tony Lambert, MITRE ATT&CK threat intelligence lead Katie Nickels, and Carbon Black senior threat researcher Greg Foss. Their answers follow:

When did defense evasion start rising in prominence?

Greg Foss, Carbon Black senior threat researcher

Attackers have always been interested in staying under the radar as much as possible. With the rate at which technology innovation around defensive technologies has increased, attackers are continually challenged with bypassing and remaining hidden from ever-increasing capabilities that blue teams are employing. We have observed evasion techniques continue to improve alongside the defensive tooling that is made available. In terms of when this began, it’s hard to point to a single incident, but I would say that once sandboxing and dynamic execution of malware became more prevalent, attackers began looking into obfuscation and even encryption in an effort to make it harder to uncover what malware is doing and attribute the activity to a specific threat actor or group.

Why is defense evasion so prominent?

Katie Nickels, MITRE ATT&CK threat intelligence lead

Brian Breyer and I gave a joint presentation at the SANS Cyber Threat Intelligence Summit earlier this year where we looked at most frequently used ATT&CK techniques based on different data sets (open source threat intelligence on the MITRE side and confirmed threats detected in customer environments on the Red Canary side). In both of our “top 20” lists, techniques falling under the Defense Evasion tactic were prominent. (As a refresher, you’ll recall that ATT&CK tactics are the adversary’s technical goals, and techniques are how those goals are achieved.) This finding wasn’t a surprise to us since adversaries want to evade defenses so they can accomplish their objectives without pesky defenders finding and evicting them.

Tony Lambert, Red Canary detection engineer

Defense evasion is so prominent for a simple reason: it makes adversaries’ lives easier. From an economic perspective, security controls increase the cost for an adversary to compromise systems and persist for future use. By using defense evasion techniques, an adversary lowers the amount of resources needed to develop new tools and procedures for continued operations. This means that something as simple as disabling antivirus controls will allow an adversary to use malicious tools just a little longer in their target environment before defenders discover their presence.

What are some of the most prevalent techniques for defense evasion?

In MITRE’s top 20 list, defense evasion techniques included obfuscated files or information, file deletion, scripting, and masquerading. Notably, Red Canary’s data set included those techniques (minus file deletion) and also included regsvr32, rundll32, disabling security tools, and process injection. These differences are due to the different reporting sources and approaches—for example, it makes sense that regsvr32 and rundll32 were observed in Red Canary’s top 20 since Red Canary uses process metadata for host-based detections. From MITRE’s perspective, there are many more data sources to help identify malicious activity in addition to just processes. We don’t assert that the top 20 techniques from the data we’ve mapped (which is limited) are the top techniques for all adversaries, but these might be a place to start writing detections since we know adversaries have used these techniques.

Lately we’ve seen a significant increase in campaigns disabling security tools in general or specifically performing attacks that are known to bypass a majority of security software. In particular, newer techniques of disabling Microsoft’s antimalware scan interface (AMSI) and performing PowerShell downgrade attacks are standard in many frameworks. These techniques can take out the eyes and ears of the blue team during post-exploitation of an environment.

Masquerading is a prominent example of defense evasion across all platforms. This technique is as simple as naming malicious tools the same as Windows, macOS, or Linux system processes. This shields an adversary with a layer of uncertainty from casual observers of malicious activity. Many users will simply assume a Windows process has executed without questioning what it has done.

Are there any non-intuitive reasons for defense evasion?

Some attackers may inadvertently bypass an organization’s defensive technologies, simply because they haven’t yet mapped out what the organization is running or they don’t really know what the tools they are using do at a technical level. This is often the case when people take advantage of frameworks like Empire, which employ out-of-the-box PowerShell downgrade and AMSI disablement techniques.

What are some good examples of defense-evading malware?

Shlayer for macOS is an excellent example of defense evading malware through the use of data obfuscation. To evade detection, Shlayer uses several forms of obfuscation that are reversed at the time of execution. While the malware payload is obfuscated, it is protected from detection by security tools. During execution, however, the commands executed are extremely easy to spot.

Cryptojacking scripts deployed by Rocke are an excellent example of defense evasion by masquerading. In this case, Rocke plants cryptocurrency miners on Linux systems using names that mimic system processes or kernel worker threads. Thankfully, there are some tricks we can use to determine whether these system processes are the real ones.

Trickbot is one example of a malware family that consistently disables Windows Defender with specific command line syntax. This gives Trickbot binaries a head start to avoid detection by antivirus vendors. This is a good way for the adversary to extend the life of the binaries, which are often compiled within a short time of appearing on victim endpoints.

The CozyCar/Cozy Duke is a classic example of an interesting family to look at when we’re discussing defense evasion. The malware uses several defense evasion techniques, including a technique we just added to ATT&CK—virtualization/sandbox evasion. If the malware checks that it’s being executed inside a virtual machine or a sandbox, it exits.

What are some reliable strategies for detecting defense evading adversaries?

Carbon Black’s coverage of the 67 Techniques utilized for Defense Evasion from MITRE ATT&CK consists of 472 queries. Below are a few key examples of some defense evasion queries for techniques that we are seeing increasingly leveraged during post exploitation—hat tip to Tony for the Shlayer obfuscation query. These queries are specific to Carbon Black, but they can be readily modified for other tools as well.

PowerShell Downgrade Attacks:

modload:windows\assembly\nativeimages_v*_32\*\*\system.management.automation.ni.dll parent_name:powershell.exe netconn_count:[1 TO *] -cmdline:windows\ccmcache

Disabling Windows Defender:
process_name:powershell.exe AND (cmdline:"Set-MpPreference -DisableRealtimeMonitoring $true")

Shlayer Deobfuscation:
Process_name:bash childproc_name:openssl childproc_name:xxd childproc_name:base64

Script Processor Renaming:
original_filename:wscript.exe -process_name:wscript.exe
Replace wscript.exe w/ powershell.exe, cmd.exe, cscript.exe, mshta.exe, etc.

 

As you start to write detections and hunt for these techniques, ATT&CK can provide a structured way to track those detections and how you improve over time. (And if you want to visualize that, check out the ATT&CK Navigator.) Below are a couple sample defense evasion analytics from MITRE’s Cyber Analytics Repository (CAR).

CAR-2016-04-002: User Activity from Clearing Event Logs
Pseudocode:
([log_name] == "System" and [event_code] in [1100, 1102]) or
([log_name] == "Security" and [event_code] == 104)

CAR-2013-10-002: DLL Injection via Load Library
Pseudocode:
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")
output remote_thread

What other techniques are you likely to see in conjunction with evasion?

Defense evasion definitely does not exist in a vacuum, it must be part of a larger chain of execution. We commonly see defense evasion techniques shortly after the use of techniques to deliver payloads. This is the case with Trickbot. In other cases, defense evasion techniques will occur around the same time as persistence techniques. For example, scheduled tasks used for persistence may have names masquerading as legitimate management or update services.

In data mapped to ATT&CK from open sources, we have commonly seen defense evasion techniques paired up with techniques from other tactics such as persistence (as Tony has mentioned already), execution, and command and control. In some cases like Rundll32, we usually track that procedure (how the adversary implements the technique) under both the execution and defense evasion tactics because it accomplishes both goals—rundll32.exe can allow code execution while simultaneously evading defenses.

What are some good tools for testing detection coverage against defense evasion?

UACMe is a great project for detection engineering, as it covers a significant number of known User Account Control bypasses in an easy and repeatable fashion. Most importantly, many of these bypasses are still present in all current versions of Microsoft and some may never be patched. So, for the red teamers out there, this is a quick and efficient bypass for when application whitelisting isn’t a factor.

As always, I recommend Atomic Red Team. We have a robust set of tests to help you measure and determine needed coverage for defense evasion techniques.

MITRE’s automated red teaming tool, CALDERA, can test detection coverage for several defense evasion techniques—plus, the team just released version 2.0!

Does the fact that adversaries perform defense evasion mean that they have the advantage over defenders?

No way! Maybe I’m an optimist, but in my opinion, that type of thinking doesn’t give enough credit to the fact that defenders have many chances to catch adversaries. As we’ve discussed, savvy defenders who are looking out for these defense evasion techniques can turn them back against adversaries: the exact techniques they’re using to hide can also help us find them so we can kick them out of our networks.

What does the future hold for defense evasion?

I think the future of defense evasion involves new forms and combinations of obfuscation. As we get more efficient at recognizing malicious obfuscation, adversaries will seek new ways to obscure the contents of payloads. In many cases, adversaries realize they cannot hide from forensic analysis or hunters, but they can increase the cost for defenders to operate effectively and produce good findings.

 

Adversaries use scripting more than any ATT&CK technique except PowerShell

 

Four tools to consider if you’re adopting ATT&CK

 

Threat analysis: Regsvr32 is the third most popular ATT&CK technique

 

Connection Proxy Ranks Fourth Among ATT&CK Techniques

Subscribe to our blog