Additionally, Poweliks is another ad-fraud Trojan that hides in the registry using similar mechanisms.Īn old version of the "Tips and Trivia" page at Systems Internals suggests how this is possible: This is an old trick that has seen renewed use. For example, the ad-fraud Kovter hides persistence-enabling code in the registry by prepending entry names with a null byte in order to make detection, analysis and removal difficult. More recently, we’ve seen examples of malicious registry entries hiding rather than masquerading. Registry entries in this location will execute when the computer reboots or a user logs in, and these entries often Masquerade, a hide-in-plain-sight technique, as legitimate entries to prevent detection. These two tactics often go hand in hand.Īdversaries have been known to add malicious registry entries to various Windows configuration locations such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run in order to maintain persistence through system reboots. According to Verizon’s 2018 Data Breach Investigations Report, “68% of breaches took months or longer to discover.” Persistence characterizes techniques that allow an adversary to maintain a presence on a system through interruptions such as system reboots, loss of credentials or malware removal tools. Defense evasion characterizes techniques which adversaries use to avoid detection and defenses. Techniques are spread across multiple tactics, with Defense Evasion and Persistence being two of the larger tactics by the number of linked techniques. Today, I’m going to look at a particular method for evading detection, often used in conjunction with maintaining persistence, which has been abused by recent malware: hiding within the Windows registry.Īdversaries are always looking for ways to evade detection and maintain persistence. It’s a valuable trove of information for security analysts, threat hunters and incident response teams. MITRE Corporation’s ATT
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |