Common Tools & Techniques Used By Threat Actors and Malware — Part II

Nasreddine Bencherchali
6 min readFeb 5, 2021

--

Photo by Timothy Newman on Unsplash

Hello and welcome to part 2 of this blog post. If you haven’t caught the first part, please do as this is a direct continuation.

In this second part, will take a look at some of the most common techniques used by threat actors and malware authors. From initial access to data ex-filtration. We’ll see how we can identify these kind of techniques by looking at logs and discussing some detection opportunities. So let’s get started.

Note: This is not by any mean an exhaustive list of all the techniques out there, different actors and malware uses different techniques and variants. These are the most common ones I’ve found documented.

Phishing / Malicious Macros

Most attacks nowadays start with a phishing attack. Whether be it an email containing a malicious document containing a malicious PowerShell or VBS macro or a fake website that is trying to impersonate another service. At the end of the day a user will be ticked into clicking something that he shouldn’t have.

Detection Opportunity

When looking for this type of technique always look for suspicious child processes. For example when opening an email from “outlook.exe”, if the process spawns a child “cmd.exe” process which is not a typical child of the “outlook.exe” this means that its worth looking at.

Note that this child parent relationship can be expanded to the children of the child processes. For example, when looking at the children of “outlook.exe” you’ll find an “excel.exe” or “word.exe” or even a PDF reader process. Which is perfectly “normal” as user tend to open attachment directly from a mail. But the interesting thing could lay in the children of those “excel.exe” and “word.exe” processes.

Log Visibility

The following technique can be detected by enabling/searching the following logs.

Detection Rules

The following are some detection rules to detect this technique

RDP Brute Force

One other technique used by threat actors as an initial access mean is RDP brute forcing. Where they search for any front facing machines that have RDP open to the internet and try to guess valid credentials.

Detection Opportunity

This is a straight forward one to catch. All you need is to look at your logs and search for multiple failed attempts coming from a single IP or multiple IP’s in a short time.

Log Visibility

The following technique can be detected by enabling/searching the following logs.

Process Hollowing

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code — MITRE ATT&CK

One of the most common techniques performed by malware and threat actors today is process hollowing. Which can be tricky to detect especially if you don’t know what’s normal in the OS.

Detection Opportunity

Process hollowing is actually easy to detect when you know what to look for and have the proper logging configured. In often cases malware will hollow a legitimate process such as “svchost.exe” or “rundll32.exe”. These processes often have unique command lines when launched in a normal fashion. For example the “svchost.exe” process will always have the “-k” command line argument present when launched in a legitimate fashion and will always be a child of “services.exe”. One other thing to look for is network communication to malicious IP’s, new children spawned from the hollowed process that may perform recon or other activities…etc.

Log Visibility

The following technique can be detected by enabling/searching the following logs.

Named Pipes

A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Named pipes can be used to provide communication between processes on the same computer or between processes on different computers across a network — MSDN

Not performed directly via a specific tool, but its a mechanism that most of the offensive tools utilize in some way or form to perform lateral movement, privilege escalation…etc.

Tools such as Cobalt Strike and Metasploit make use of this feature heavily, so its important to have detection for it.

Detection Opportunity

Since a lot of processes use named pipes, a baseline is required to detect malicious usage effectively. Tool such as “pipelist.exe” can help you do that. What i found helpful and that can aide you in creating a detection for this. Is to execute the malicious tools in a lab environment with sysmon enabled and look for patterns if there are any.

Multiple blogs and resource exists that have already done the work. You can use that knowledge to write good detections.

Log Visibility

The following technique can be detected by enabling/searching the following logs.

Registry Keys / Scheduled Tasks Persistence

The Windows Registry and Task Scheduler are the favorite options for malware and threat actors to persist. Most if not all attacks nowadays have some form of persistence via the registry or schedule tasks. The registry keys and names and location but the idea is the same.

Detection Opportunity

To detect such techniques and as everything in detection engineering we need a baseline of the activity on the network. Determine which process often creates/run tasks or creates/modify registry keys. Once that is done the rest is having the proper logging weather be it in the form of windows logging or an EDR solution.

The two most prominent processes for such techniques are “reg.exe” and “schtasks.exe” so always look for processes spawning these binaries directly or via “cmd.exe” with the “/C” switch. Investigate the command line arguments and determine if its a threat or not.

Log Visibility

The following technique can be detected by enabling/searching the following logs.

LSASS / Secrets Dumping

Once the malware or threat actors are on a system, they want to escalate and move laterally. One of the first thing they search for are credentials.

Multiple techniques and tools could be used to extract credentials but they all target one of the following “LSASS”, “LSA Secrets”, “SAM”, “NTDS”…etc.

Detection Opportunity

To detect credential dumping you can go through multiple approaches. The easiest is writing detection for specific command line arguments and utilities. Tools such as “ntdsutil” with the famous command line

ntdsutil "ac in ntds" "ifm" "cr fu [Path]" q q

Or usage of the “comsvcs” dll

rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [PID] [Path] full

You can also detect this from the logs using Sysmon event ID 10.

Log Visibility

The following technique can be detected by enabling/searching the following logs.

Conclusion

As I've stated in the beginning of this blog. This is by no mean an exhaustive list. my point with this tow part blog post is to show what are the most common ways attackers are using to infiltrate and infect networks in recent years. And i hope that I’ve intrigued the reader enough to do more research.

There are a ton of resources out there that can help us all become better threat hunters or detection engineers and help reduce the gap between us and the attackers.

I hope you enjoyed reading this as I’ve enjoyed writing it. If you have any suggestions or feedback of any kind please feel free to hit me up on twitter @nas_bench I’ll be more than happy to discuss more of this with the member of the community.

Let the hunt begin.

Resources

--

--

Nasreddine Bencherchali
Nasreddine Bencherchali

Written by Nasreddine Bencherchali

I write about #Detection, #Sigma and #Windows. Follow https://github.com/nasbench/Misc-Research for interesting Windows tidbits

No responses yet