MITRE Corporation’s ATT&CK framework is a living, curated repository of adversarial tactics and techniques based on observations from actual attacks on enterprise networks. It’s a valuable trove of information for security analysts, threat hunters and incident response teams. Today, I’m going to look at a particular method for evading detection, often used in conjunction with maintaining persistence, which has been abused by recent malware: hiding within the Windows registry.
Adversaries are always looking for ways to evade detection and maintain persistence. Techniques are spread across multiple tactics, with Defense Evasion and Persistence being two of the larger tactics by the number of linked techniques. Defense evasion characterizes techniques which adversaries use to avoid detection and defenses. According to Verizon’s 2018 Data Breach Investigations Report, “68% of breaches took months or longer to discover.” Persistence characterizes techniques that allow an adversary to maintain a presence on a system through interruptions such as system reboots, loss of credentials or malware removal tools. These two tactics often go hand in hand.
Adversaries have been known to add malicious registry entries to various Windows configuration locations such as HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun in order to maintain persistence through system reboots. Registry entries in this location will execute when the computer reboots or a user logs in, and these entries often Masquerade, a hide-in-plain-sight technique, as legitimate entries to prevent detection.
More recently, we’ve seen examples of malicious registry entries hiding rather than masquerading. For example, the ad-fraud Kovter hides persistence-enabling code in the registry by prepending entry names with a null byte in order to make detection, analysis and removal difficult. This is an old trick that has seen renewed use. Additionally, Poweliks is another ad-fraud Trojan that hides in the registry using similar mechanisms.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Lu. Read the original post at: https://www.tripwire.com/state-of-security/mitre-framework/evade-detection-hiding-registry/