Samir Bousseaden

Unveiling malware behavior trends

Analyzing a Windows dataset of over 100,000 malicious files

Unveiling malware behavior trends

Preamble

When prioritizing detection engineering efforts, it's essential to understand the most prevalent tactics, techniques, and procedures (TTPs) observed in the wild. This knowledge helps defenders make informed decisions about the most effective strategies to implement - especially where to focus engineering efforts and finite resources.

To highlight these prevalent TTPs, we analyzed over 100,000 Windows malware samples extracted over several months from one of our dynamic malware analysis tools, Detonate. To generate this data and alerts, we leveraged Elastic Defend behavior (mapped to MITRE ATT&CK) and memory threat detection rules. It should be noted that this dataset is not exhaustive, it may not represent the entire spectrum of malware behavior, and specifically does not include long-term or interactive activity.

Below an ES|QL query to summarize our dataset by file type:

Dataset by extension - 20 unique file types
Dataset by extension - 20 unique file types

Tactics

Beginning with tactics, we aggregated the alerts generated by this corpus of malware samples and organized them according to the counts of process.entity_id and alerts. As depicted in the image below, the most frequent tactics included defense evasion, privilege escalation, execution, and persistence. Certain tactics commonly linked with post-exploitation activities, such as lateral movement, provided an anticipated lower prevalence because these actions are commonly manually driven by the threat actor after the initial implant is established vs. being automated by the malware in our dataset.

Tactics by volume
Tactics by volume

In the following sections, we will delve into each tactic and the techniques and sub-techniques of each that exerted the most influence.

Defense Evasion

Defense Evasion involves methods employed by adversaries to avoid detection by security teams or capabilities. The foremost tactic detected was defense evasion, triggering 189 distinct detection rules (nearly 40% of our current Windows rules). The primary techniques noted are associated with code injection, defense tampering, masquerading, and system binary proxy execution.

Top observed defense evasion techniques
Top observed defense evasion techniques

When we pivot by sub-techniques, it becomes evident that certain advanced techniques such as DLL side-loading and Parent PID Spoofing have become increasingly popular, even among non-targeted malwares. Both are frequently linked with code injection and masquerading.

Furthermore, system binary proxies Rundll32 and Regsvr32 remain highly abused, with a notable rise in the utilization of malicious MSI installers for malware delivery. The practice of masquerading as legitimate system binaries, whether through renaming or process hollowing, remains prevalent as well, serving as a means to evade user suspicion.

Top observed defense evasion sub-techniques
Top observed defense evasion sub-techniques

Tampering with Windows Defender stands out as the most frequently observed defense evasion tactic, emphasizing the importance for defenders to acknowledge that adversaries will attempt to obscure their activities.

Process Injection is prevalent across various malware families, whether they target legitimate system binaries remotely to blend in or employ self-injection (sometimes paired with DLL side-loading through a trusted binary). Furthermore, there is a noticeable uptick in the use of NTDLL unhooking to bypass security solutions reliant on user-mode APIs monitoring (Elastic Defend is not impacted).

The most effective endpoint behavior rules for defense evasion
The most effective endpoint behavior rules for defense evasion

From our shellcode alerts we can clearly see that self-injection is more prevalent than remote:

Shellcode alerts volume by infection target type (local vs remote)
Shellcode alerts volume by infection target type (local vs remote)

Almost 50 unique vendors’ binaries abused for DLL side-loading, of which Microsoft is the top choice:

DLL side-load by host process code signature subject name
DLL side-load by host process code signature subject name

Defense evasion comprises various techniques and sub-techniques necessitating comprehensive coverage due to their frequent occurrence. For instance, apart from memory threat protection, half of our rules are specifically tailored to address this tactic.

Privilege Escalation

This tactic consists of techniques that adversaries use to gain greater permissions on a system or network. The most commonly used techniques relate to access token manipulation, execution through privileged system services, and bypassing User Account Control.

Privilege escalation techniques observed in the dataset
Privilege escalation techniques observed in the dataset

The most frequently observed sub-technique involved impersonation as the Trusted Installer service, which aligns closely with defense evasion and often precedes attempts to manipulate system-protected resources.

Concerning User Account Control bypass, the primary method we observed was elevation by mimicking trusted directories, which is also related to DLL side-loading. Additionally, other methods like elevation via extended startupinfo (elevated parent PID spoofing) are increasingly prevalent among commodity malware.

Privilege escalation top observed sub-techniques
Privilege escalation top observed sub-techniques

As evident from the list below, there's a notable rise in the use of vulnerable drivers (BYOVD) to manipulate protected objects and acquire kernel mode execution privileges.

The most effective endpoint behavior rules for privilege escalation
The most effective endpoint behavior rules for privilege escalation

Below, you'll find a list of the most commonly exploited drivers triggered by our YARA rules:

Top triggered yara rules for vulnerable drivers detection
Top triggered yara rules for vulnerable drivers detection

Execution

Execution encompasses methods that lead to running adversary-controlled code on a local or remote system. These techniques are frequently combined with methods from other tactics to accomplish broader objectives, such as network reconnaissance or data theft.

The most common techniques observed here involved Windows command and scripting languages, with the proxying of execution via the Windows Management Instrumentation (WMI) interface closely trailing behind.

Execution techniques observed in our dataset
Execution techniques observed in our dataset

Powershell remains a preferred scripting language for malware execution chains, followed by Javascript and VBscript. Multi-stage malware delivery routinely involves a combination of two or more scripting languages.

Execution top observed sub-techniques
Execution top observed sub-techniques

Here is a list of the most frequently triggered endpoint behavior detections for this tactic:

Frequently triggered execution detections
Frequently triggered execution detections

Windows' default scripting languages remain the top preference for malware execution. However, there has been a slight uptick in the shift towards using other third-party scripting interpreters like Python, AutoIt, Java and Lua.

Persistence

It's common for malware to install itself on an infected host. No surprises here: the most frequently observed persistence methods include scheduled tasks, the run key and startup folder, and Windows services (which typically require administrator privileges).

Top observed sub-techniques for persistence
Top observed sub-techniques for persistence

The top three persistence sub-techniques depicted in the list below are also commonly encountered in regular software installations. Therefore, it's necessary to dissect them into multiple detections with additional suspicious signals to reduce false positives and enhance precision.

Top triggered alerts for persistence
Top triggered alerts for persistence

Initial Access

Considering the dataset's composition, initial access was associated with primarily macro-enabled documents and Windows shortcut objects. Although a significant portion of the detonated samples also involved other formats, such as ISO/VHD containers with MSI installers extensively utilized for delivery, their genuine malicious behavior typically manifests in areas such as defense evasion and persistence.

Top sub-techniques for initial access
Top sub-techniques for initial access

The most frequently abused Microsoft-signed binaries originating from malicious Microsoft Office documents align closely with execution and defense evasion tactics, command and scripting interpreters, and system binary proxy execution.

Top spawned child processes from malicious office documents
Top spawned child processes from malicious office documents

Here is a list of the most frequently triggered detections for initial access, regarding phishing attachments:

Top triggered rules for initial access via malicious attachments
Top triggered rules for initial access via malicious attachments

Credential Access

Credential access in malware is frequently linked to information stealers. The most targeted credentials are typically associated with Windows Credential Manager and browser password stores. Domain and system-protected credentials require elevated privileges and are more likely a feature of a subsequent stage.

Top observed credential access sub-techniques
Top observed credential access sub-techniques

Below a breakdown of the endpoint behavior detections that triggered the most on credentials access:

Frequently triggered credential access-related detection rules
Frequently triggered credential access-related detection rules

The majority of credentials access behaviors resemble typical file access events. Therefore, it's essential to correlate and enrich them with additional signals to reduce false positives and enhance comprehension.

Conclusion

Even though this small dataset of about 100,000 malware samples represents only a fraction of the possible malware in the wild right now, we can still derive important insights from it about the most common TTPs using our behavioral detections. Those insights help us make decisions about detection engineering priorities, and defenders should make that part of their strategies.