In today’s dynamic cybersecurity landscape, cybercriminals are employing increasingly sophisticated tactics to infiltrate undetected. One common strategy is the use of legitimate operating system tools and processes to hide malicious activity, presenting a significant challenge to defense teams. These evasion techniques allow attackers to operate under the radar, compromising sensitive systems and data without raising immediate suspicion.
For defensive security teams (Blue Team), detecting and neutralizing these tactics is essential. It requires a thorough understanding of the techniques employed by attackers and the implementation of advanced monitoring and analysis solutions. This article explores the most commonly used evasion tactics and offers effective strategies for defenders to identify and counter them, thereby strengthening their organizations’ security posture.
Common Avoidance Techniques
In this article we will explore three evasion techniques frequently employed by cybercriminals to circumvent organizations’ defenses: Process Hollowing, DLL Sideloading and the Use of Event Logs for Persistence.
Process Hollowing
This is a technique in which cybercriminals create a legitimate process on the system and, once started, replace its internal memory with malicious code. This allows the malicious code to run under the guise of a trusted process, making it difficult to detect.
Some examples:
- Creating a suspended process: The attacker starts a legitimate process in a suspended state using functions such as CreateProcess with the CREATE_SUSPENDED flag.
- Malicious memory allocation: ZwUnmapViewOfSection is used to unlink the original memory of the process and VirtualAllocEx is used to allocate new memory in the space of the target process.
- Injection of malicious code: Using WriteProcessMemory, malicious code is written into the allocated memory.
- Resumption of the process: Finally, the instruction pointer is set with SetThreadContext and the process is resumed with ResumeThread, thus executing the malicious code under the identity of the legitimate process.
Detection by the Blue Team
- Monitoring suspicious API calls: Monitor the use of functions such as ZwUnmapViewOfSection, VirtualAllocEx and WriteProcessMemory in processes that do not normally use them.
- Process image discrepancy analysis: Use tools that compare the disk image of the process with the one loaded in memory to identify unauthorized modifications.
- Logging of process creation events: Configure monitoring systems to alert on the creation of processes in suspended state or unexpected changes in the memory of active processes.
DLL Sideloading
DLL Sideloading Technique involves cybercriminals placing a malicious dynamic link library (DLL) in the same directory as a legitimate application. When the application runs, it loads the malicious DLL instead of the legitimate one due to the priority in the DLL search order, allowing unauthorized code execution.
Some examples:
- Preparation of the malicious DLL: The attacker creates a DLL with the same name as a legitimate one that the target application loads during its execution.
- Strategic DLL placement: The malicious DLL is placed in the directory of the legitimate application, taking advantage of the fact that Windows looks first in the application directory before looking elsewhere.
- Application execution: When the legitimate application is started, it loads the malicious DLL, giving the attacker the ability to execute code with the same privileges as the application.
Detection by the Blue Team
- DLL load monitoring: Implement tools that record which DLLs are loaded by each application and alert on unusual or unexpected loads.
- Verification of digital signatures: Check that all loaded DLLs are digitally signed by trusted vendors and match the expected signatures.
- File integrity control: Use systems that detect file changes or additions in critical application directories, especially those containing executables and their associated DLLs.
Use of Event Logs for Persistence
In this technique, cybercriminals manipulate operating system event logs to store malicious code or commands to be executed later, achieving persistence on the compromised system. By hiding code in event log locations, suspicious activity is less likely to be detected.
Some examples:
- Injection into event logs: Using tools such as wevtutil, the attacker can write malicious data into custom or poorly monitored event logs.
- Execution via event subscription: Event subscriptions are created which, when triggered, execute malicious scripts or commands previously stored in the event logs.
- Use of logs to store payloads: Malicious code is stored in event data and is retrieved and executed by scripts that read these logs.
Detection by the Blue Team
- Monitoring changes in event logs: Set up alerts to detect unusual modifications to event logs, especially those that rarely change.
- Event subscription review: Regularly audit event subscriptions to identify configurations that execute unexpected commands or scripts.
- Event content analysis: Inspect data stored in event logs for patterns that indicate the presence of malicious code or commands.
How Blue Teams can detect these tactics
To counter these threats, defense teams must adopt proactive strategies and specialized tools to identify suspicious activity and respond effectively.
Intrusion Detection Systems (IDS) Implementation
IDSs are essential for monitoring network traffic and detecting anomalous activity. These systems analyze data packets for patterns that match known attack signatures or unusual behavior, alerting security teams to potential intrusions. It is essential to keep signature databases up to date and adjust configurations to minimize false positives and negatives.
Use of Advanced Monitoring Tools
To detect techniques such as Process Hollowing or DLL Sideloading, it is crucial to use tools that provide deep system visibility:
- Sysmon: This Microsoft Windows utility allows logging of detailed system events, such as process creation and module loading, making it easier to identify suspicious behavior.
- EDR (Endpoint Detection and Response): These solutions offer continuous monitoring of endpoints, detecting and responding to malicious activity in real time.
Creating Custom Detection Rules
Developing specific rules to identify patterns of behavior associated with avoidance techniques is vital:
- YARA: Allows you to create rules to identify malicious files based on specific patterns.
- Sigma: A standard language for sharing event detection rules across different SIEM platforms, facilitating the identification of suspicious activities.
Behavioral and Anomaly Analysis
Implementing solutions that use artificial intelligence and machine learning to analyze user and system behavior helps identify deviations that could indicate malicious activity. These tools can detect unusual patterns that traditional signatures might miss.
Employee Training and Awareness
Employees are a crucial line of defense. Providing regular training on social engineering techniques and evasion tactics used by cybercriminals increases the organization’s ability to detect and prevent attacks.
Conclusion
Evasion tactics employed by cybercriminals represent a constant challenge for organizations as they seek to circumvent established security measures. To counter these threats, it is essential that security teams take a proactive stance, implementing advanced monitoring and detection tools, such as Sysmon and EDR solutions. In addition, continuous training of employees in cybersecurity practices strengthens the first line of defense against potential intrusions. By combining cutting-edge technology with a security-oriented organizational culture, organizations can significantly improve their ability to identify and mitigate malicious activity, thereby protecting their most valuable assets.
