At CounterCraft, we talk a lot about the TTPs our platform can detect and classify, and how we are pioneering the integration of the Mitre ATT&CK TTP classification framework. If you work with Mitre ATT&CK, you’ve probably seen the matrix thousands of times, but have you ever really taken a look at the more niche, yet still-high-risk TTPs?
In this article, we go one step further to describe some of the more interesting TTPs you can detect using our deception-powered threat intel technology. Read on to get a detailed view of these lesser-known attack mechanisms.
TTPs help classify attacker behavior, and are an extremely useful tool in attacker profiling. They provide context to the activity and to help massively in standardizing the threat intelligence we create and share.
CounterCraft has an extensive TTP library, to which each of these TTPs have been added. They are continually being expanded based on findings from open-source threat intel and data from our own in-house deception deployments, investigation and research.
Let’s start things off with a very special TTP: T9001. You won’t find this on the MITRE ATT&CK framework as it’s one of a growing number of CounterCraft specific TTPs created by our threat intel team:
Name: Suspicious Process
Usage: Creating new processes that are out of the ordinary or outside the usual scope of operation.
Having new processes is something normal in a running OS, and there is no fixed rule to detect what is ‘good-ware’ and what is not. Adversaries can use several techniques to hide their presence, from root-kit techniques to the use of common names to confuse the user/analyst.
This TTP is triggered by uncommon processes launched, based on the common behavior and relation between processes, and between processes and file paths and names.
T9001 serves as a way of identifying suspicious or unusual behavior that isn’t classified as an official ATT&CK TTP, but which may indicate attacker attactivity.
T9001 is just one of a series of CounterCraft TTPs related to activity within a deception environment that may be specific to deception deployments or new and recently discovered behavior patterns.
To-date T9001 contains 25 definitions of suspicious process including
- – Potential code injection / shellcode executions
- – Fingerprints of MetaSploit activity
- – Use of specific tools
…and more. The detection criteria are based on EQL queries of event data from the deception environment, and no, we’re not going to share the queries we use - we don’t want to give the game away!
There are over 290 TTPs currently in the ATT&CK framework. The following section will highlight some of the TTPs that our Threat Analysis team have selected to highlight lesser-known TTPS with some cool use cases. To continue, let’s look at some of the Mitre ATT&CK TTPS.
Name: Right-to-Left Override
Use: To disguise malicious payloads, especially in spear phishing attacks
Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.
A payload that in reality is a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx.
This technique is commonly used with spear phishing attacks since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.
The RTLO technique can also be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe, by default, does not.
Name: Rename System Utilities
OS: Windows - Linux
Usage: To bypass security systems
Legitimate system utilities can be renamed by an adversary to evade security mechanisms targeted to protect them.
By renaming a utility it is possible to bypass security mechanisms designed to protect it specifically (often by name) prior to using the utility (e.g. renaming rundll32.exe before exploiting it).
An alternative use-case is achieved by copying or moving a legitimate utility to a different directory and renamed to avoid detection based on system utilities executing from non-standard paths.
Name: Space after Filename
Usage: To disguise malicious payloads
Adversaries can hide the true file type of a program by changing the file extension. With certain file types (excluding, for example, .app extensions), by adding a space to the end of a filename, it will change how the file is processed by the operating system.
For example, if there is an executable file called
[evil.bin], when it is double clicked by a user, it will execute. If this file is renamed to
[evil.txt], when it is double clicked by a user, it will launch with the default text editing application (not executing the binary).
However, if the file is renamed to
[evil.txt ] (note the space at the end), when it’s double clicked by a user, the true file type is determined by the OS and the binary will be executed.
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
Name: Registry Run Keys / Startup Folder
Usage: To obtain persistence on Windows systems
Adversaries can achieve persistence by adding a program to a startup folder or referencing it with a Registry “run key”. Adding an entry to the “run keys” in the Registry or startup folder will execute the program when a user logs in. These programs run under the user context and inherit the level of permissions associated with that user.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is:
The startup folder path for all users is
The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx key is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.
For example, it is possible to load a DLL at logon using a “Depend” key with RunOnceEx:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll
The following Registry keys can be used to set startup folder items for persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of following the registry key run when any user logs on:
By default, the multistring BootExecute value of the registry key
is set to autocheck autochk *. This value causes Windows to check the file-system integrity of the hard disks on start-up if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading Techniques to make the Registry entries look as if they are associated with legitimate programs.
So there you have it, five of the coolest TTPS for autumn. This isn’t just blatant clickbait though— as we continue to increase CounterCraft coverage of unusual or potentially malicious activity, we will publish more blogs to explain what we’re doing and how it expands your detection capabilities, both from the Mitre ATT&CK framework but also from CounterCraft threat intel research.
Richard Barrell is the Product Manager at CounterCraft, as well as managing projects in the Government sector. You can find him on LinkedIn.