At CounterCraft, we talk a lot about the TTPs our platform can detect and classify, and how we are pioneering the integration of the Mitre ATT&CK TTP classification framework. If you work with Mitre ATT&CK, you’ve probably seen the matrix thousands of times, but have you ever really taken a look at the more niche, yet still-high-risk TTPs?
In this article, we go one step further to describe some of the more interesting TTPs you can detect using our deception-powered threat intel technology. Read on to get a detailed view of these lesser-known attack mechanisms.
TTPs help classify attacker behavior, and are an extremely useful tool in attacker profiling. They provide context to the activity and to help massively in standardizing the threat intelligence we create and share.
CounterCraft has an extensive TTP library, to which each of these TTPs have been added. They are continually being expanded based on findings from open-source threat intel and data from our own in-house deception deployments, investigation and research.
Let’s start things off with a very special TTP: T9001. You won’t find this on the MITRE ATT&CK framework as it’s one of a growing number of CounterCraft specific TTPs created by our threat intel team:
CounterCraft T9001
Name: Suspicious Process
OS: Windows
Usage: Creating new processes that are out of the ordinary or outside the usual scope of operation.
Overview:
Having new processes is something normal in a running OS, and there is no fixed rule to detect what is ‘good-ware’ and what is not. Adversaries can use several techniques to hide their presence, from root-kit techniques to the use of common names to confuse the user/analyst.
This TTP is triggered by uncommon processes launched, based on the common behavior and relation between processes, and between processes and file paths and names.
T9001 serves as a way of identifying suspicious or unusual behavior that isn’t classified as an official ATT&CK TTP, but which may indicate attacker attactivity.
T9001 is just one of a series of CounterCraft TTPs related to activity within a deception environment that may be specific to deception deployments or new and recently discovered behavior patterns.
Examples:
To-date T9001 contains 25 definitions of suspicious process including
- Potential code injection / shellcode executions
- Fingerprints of MetaSploit activity
- Use of specific tools
…and more. The detection criteria are based on EQL queries of event data from the deception environment, and no, we’re not going to share the queries we use – we don’t want to give the game away!
There are over 290 TTPs currently in the ATT&CK framework. The following section will highlight some of the TTPs that our Threat Analysis team have selected to highlight lesser-known TTPS with some cool use cases. To continue, let’s look at some of the Mitre ATT&CK TTPS.
ATT&CK T1036.002
Name: Right-to-Left Override
OS: Windows
Use: To disguise malicious payloads, especially in spear phishing attacks
Overview:
Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.
Examples:
A payload that in reality is a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx.
In the same way a JavaScript file named photo_high_re\u202Egnp.js will display as photo_high_resj.png.
This technique is commonly used with spear phishing attacks since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.
The RTLO technique can also be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe, by default, does not.
ATT&CK T1036.003
Name: Rename System Utilities
OS: Windows – Linux
Usage: To bypass security systems
Overview:
Legitimate system utilities can be renamed by an adversary to evade security mechanisms targeted to protect them.
Examples:
By renaming a utility it is possible to bypass security mechanisms designed to protect it specifically (often by name) prior to using the utility (e.g. renaming rundll32.exe before exploiting it).
An alternative use-case is achieved by copying or moving a legitimate utility to a different directory and renamed to avoid detection based on system utilities executing from non-standard paths.
ATT&CK T1036.006
Name: Space after Filename
OS: Linux
Usage: To disguise malicious payloads
Overview:
Adversaries can hide the true file type of a program by changing the file extension. With certain file types (excluding, for example, .app extensions), by adding a space to the end of a filename, it will change how the file is processed by the operating system.
Examples:
For example, if there is an executable file called [evil.bin], when it is double clicked by a user, it will execute. If this file is renamed to [evil.txt], when it is double clicked by a user, it will launch with the default text editing application (not executing the binary).
However, if the file is renamed to [evil.txt ] (note the space at the end), when it’s double clicked by a user, the true file type is determined by the OS and the binary will be executed.
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
ATT&CK T1137.001
Name: Registry Run Keys / Startup Folder
OS: Windows
Usage: To obtain persistence on Windows systems
Overview:
Adversaries can achieve persistence by adding a program to a startup folder or referencing it with a Registry “run key”. Adding an entry to the “run keys” in the Registry or startup folder will execute the program when a user logs in. These programs run under the user context and inherit the level of permissions associated with that user.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is:
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
The startup folder path for all users is
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx key is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.
For example, it is possible to load a DLL at logon using a “Depend” key with RunOnceEx:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /d "C:\temp\evil[.]dll
The following Registry keys can be used to set startup folder items for persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of following the registry key run when any user logs on:
HKEY_CURRENT_USER\Software\Microsoft\Windows_NT\CurrentVersion\Windows
By default, the multistring BootExecute value of the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
is set to autocheck autochk *. This value causes Windows to check the file-system integrity of the hard disks on start-up if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading Techniques to make the Registry entries look as if they are associated with legitimate programs.
Next Steps
So there you have it, five of the coolest TTPS for autumn. This isn’t just blatant clickbait though— as we continue to increase CounterCraft coverage of unusual or potentially malicious activity, we will publish more blogs to explain what we’re doing and how it expands your detection capabilities, both from the Mitre ATT&CK framework but also from CounterCraft threat intel research.
Richard Barrell is the Product Manager at CounterCraft, as well as managing projects in the Government sector. You can find him on LinkedIn.