Tactics, methods and procedures (TTP) form the basis of modern defense strategies. Unlike indicators of intrusion (IOC), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used methods, according to ANY.RUN’s Q3 2024 report on malware trends with real-world examples.
Disable Windows Event Log (T1562.002)
Violating Windows Event Logging helps attackers prevent the system from recording critical information about their malicious activities.
Without event logs, important details like login attempts, file modifications, and system changes go unrecorded, leaving incomplete or missing data for security solutions and analytics.
Windows event logging can be controlled in a number of ways, including by changing registry keys or using commands such as “net stop eventlog”. Changing Group Policy is another common method.
Because many detection mechanisms rely on log analysis to identify suspicious activity, malware can run undetected for longer periods of time.
Example: XWorm disables remote access service logs
To detect, monitor and analyze different types of malicious TTPs in a secure environment, we can use ANY.RUN interactive sandbox. The service provides configurable Windows and Linux virtual machines that allow not only to detonate malicious programs and see their execution in real time, but also to interact with them as on a regular computer.
By tracking all system and network activity, ANY.RUN makes it easy and quick to identify malicious activities, such as disabling Windows event logging.
The ANY.RUN sandbox session shows the results of the XWorm detonation |
Check it out analysis session where XWorm, a widespread remote access trojan (RAT), uses T1562.002.
The sandbox shares details about the malicious process and registry modification |
Specifically, it modifies the registry to disable trace logs for RASAPI32, which is responsible for managing remote access connections on the system.
The malware disables the logs by changing a few registry names |
By setting ENABLEAUTOFILETRACING and other RASAPI32-related registry names to 0, the attacker ensures that no logs are created. This makes it difficult for security programs such as antivirus to identify the incident.
Analyze malware and phishing threats for free in the ANY.RUN cloud sandbox.
Using PowerShell (T1059.001)
PowerShell is a scripting language and command-line shell built into Windows. Attackers commonly use it to perform various malicious tasks, including manipulating system settings, stealing data, and establishing permanent access to compromised systems.
By leveraging PowerShell’s extensive capabilities, threat actors can use obfuscation techniques such as coding commands or advanced scripting techniques to bypass detection mechanisms.
Example: BlanGrabber uses PowerShell to disable detection
Let’s consider this BlankGrabber sample analysisa family of malware used to steal sensitive data from infected systems. Once executed, the malware launches several processes, including PowerShell, to modify system settings to avoid detection.
The sandbox shows all operations performed by BlankGrabber via PowerShell |
ANY.RUN instantly detects all malware activities, presenting them in detail. Among other things, BlankGrabber uses PowerShell to disable the Intrusion Prevention System (IPS), OAV protection, and Windows real-time monitoring services. The sandbox also shows the contents of the command line, displaying the actual commands used by the malware.
Windows Shell Exploitation (T1059.003)
Attackers also often use the Windows command shell (cmd.exe), another versatile tool used for legitimate administrative tasks such as managing files and running scripts. Its widespread use makes it an attractive choice for concealing malicious activity.
Using a shell, attackers can execute a variety of malicious commands, from downloading payloads from remote servers to executing malware. The shell can also be used to execute PowerShell scripts for further malicious activities.
Because cmd.exe is a reliable and widely used utility, malicious commands can blend in with legitimate activity, making it difficult for security systems to identify and respond to threats in real time. Attackers can also use obfuscation techniques in their commands to avoid detection.
Example: Lumma uses CMD to execute the payload
Take a look at following Lumma’s analysisa widely used information stealer that has been active since 2022.
The sandbox assigns the process cmd.exe a score of 100 as malicious |
ANY.RUN gives us an in-depth look at the operations performed by malware via cmd. These include running an application with an unusual extension and making changes to executable content that indicate attackers are abusing the process.
Modification of registry startup keys (T1547.001)
To ensure that the malware is automatically launched each time the system is started, attackers add entries to specific registry keys designed to launch programs at startup.
Malicious files can also be placed in the startup folder, which is a special directory that Windows automatically scans and starts programs when the user logs on.
By using registry startup keys and the startup folder, attackers can maintain long-term persistence, allowing them to continue their malicious activities, such as stealing data, moving laterally across the network, or continuing to exploit the system.
Example: Remcos gets persistence with the RUN key
That’s it example of this technique performed by Remcos. In this case, the registry key HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN is modified.
The sandbox assigns appropriate TTPs to different malicious activities |
By adding an entry to the RUN key in the registry, the Remcos backdoor ensures that it will automatically run on each new login. This allows the malware to maintain persistence in the infected system.
Time-Based Avoidance (T1497.003)
Timing evasion is a technique used by malware to avoid detection by security solutions that rely on sandboxing. Many sandboxes have limited control periods, often just a few minutes. By delaying the execution of malicious code, malware can avoid detection during this window.
Another common goal of this TTP is to make malware appear benign during initial analysis, reducing the likelihood that it will be flagged as suspicious. The delay in execution can make it difficult for behavioral analysis tools to correlate initial benign behavior with subsequent malicious actions.
Malware often relies on multiple components or files to carry out the infection process. Delays can help synchronize the execution of different parts of the malware. For example, if the malware needs to download additional components from a remote server, a delay can ensure that those components are fully loaded and ready before the main payload is executed.
Some malicious activities may depend on the successful completion of other tasks. Introducing delays can help manage these dependencies, ensuring that each step in the infection process is executed in the correct order.
Example: DCRAT delays execution during an attack
The Dark Crystal RAT is one of many malware families that rely on time-based evasion techniques to remain in the spotlight of an infected system.
ANY.RUN offers a built-in MITER ATT&CK matrix to track TTPs detected during analysis |
In the context of Art next sandbox sessionwe can watch the DCRAT remain in sleep mode for only 2000 milliseconds, which is 2 seconds, before continuing execution. This is probably done to ensure that all the files needed for the next stage of the infection process are ready to run.
The ANY.RUN sandbox displays the details of each malicious process |
Another time-based DCRAT evasion attempt detected by ANY.RUN is the use of the legitimate w32tm.exe tool to delay the execution process.
Analyze malware with the ANY.RUN Sandbox
ANY.RUN offers a cloud-based sandbox for analyzing malware and phishing threats, providing fast and accurate results to improve investigations. With its advanced features, you can freely interact with submitted files and URLs, as well as the system, to deepen your threat analysis.
- Simply upload a file or URL to start the analysis process
- Threat detection takes less than 60 seconds
- The service quickly extracts in-depth information about malware behavior and generates threat reports
- Type text, open links, download attachments, run programs – all inside a virtual machine
- Use private analysis mode and team collaboration tools
Integrate ANY.RUN sandbox into your organization’s workflow with a 14-day free trial to try everything it has to offer.