Implementing the MITRE ATT&CK Framework

Post credit: Austin Miller

I recently attended a conference concerning the implementation of the MITRE ATT&CK framework and something became very clear to me – it’s all well and good understanding what it is, but how easy is it to actually implement the framework in the average cybersecurity day-to-day workflow? It is easy to browse the content, but is it as easy to use it effectively to build solid defenses?

Turning the MITRE ATT&CK framework from theory into practice is difficult, especially for organizations that are still in the process of building their security infrastructure. That’s why the SecPro team will be dealing with how to implement simple solutions to the problems that the framework brings up. [More?]

Of course, we can’t examine every single entry. Instead, I’ll be referring to The Red Report by Picus Security, the latest update in their research on adversarial techniques, tactics, and procedures (TTPs). You can read the report yourself here or eagerly await the weekly edition of SecPro.

MITRE ATT&CK Framework: T1497 – Virtualization/Sandbox Evasion

To build an effective security posture, someone needs to understand how the adversary is exploiting defenses in your arsenal. But a recent trend in malware creation is causing security researchers a real headache – evasive action to escape virtualization or sandboxing that a researcher put in place to protect themselves and analyze the content.

How does the adversary evade virtualization/sandboxing in MITRE ATT&CK Framework?

There are many ways for the adversary to evade or even escape virtualization, but the most common techniques involve:

• T1497.001 – Using System checks to analyze artifacts that show the system is actually running a virtual machine. The telltale signs that the software hunts for differs from malware to malware. For example:

1. Malware A might check for known virtualization MAC addresses such as 08:00:27 for Virtual Box, 00:05:69 for VMWare, and 00:1:42 for Parallels.
2. Malware B might check for attached audio devices as sandboxes are rarely configured to connect to one
3. Malware C might examine the directories as virtualization software will usually contain folders such as ~oracle or ~VMWare

• T1497.002 – A lot can be understood about the way someone uses a computer, so user activity based checks are a clear way for the adversary to

1. Malware A might check for empty folders which indicate that this system is not a production unit.
2. Malware B will check network traffic for suspiciously low levels of data movement — high uptimes but low network traffic is an easy giveaway
3. Malware C may not trigger until the user has scrolled to a specific part of a document or website, meaning that the processes will not launch for analysis when loaded into the sandbox.

• T1497.003 — Time Based Evasion is less common method for evasion, but it has been noticed in the ransomware created by the REvil gang. In order to avoid analysis, the follow command runs whenever REvil ransomware executes:

ping 127.0.0.1 -n 5693 > null

By pinging the loopback address, the malware can avoid automated malware analysis that we find in many modern devices. In the above command, the execution is delayed for 5693 seconds (or 94 minutes).

In addition to the MITRE ATT&CK framework’s explanation of how malware evades detection, Apriorit identified an additional TTP: data obfuscation. By changing DNS names or encrypting API calls, sophisticated malware can trick a sandbox into not recognizing the malware and evade analysis.

Where can I find out more about malware evasion?

The MITRE ATT&CK virtualization/sandbox evasion page contains numerous examples of real-life malware and their evasion procedures. The rogue’s gallery contains big name malware such as Darkhotel, RTM, and StoneDrill, including links to additional analysis and explanation for their specific evasion techniques.

Can I stop malware from escaping virtualization/sandboxes?

If you’re a budding security researcher and want to avoid threat actors from evading your sandboxes, there are a few practices to improve your success rate.

• Mimicking a non-virtualization/-sandbox environment. The adversary is smart and the malware knows to check for telltale signs that they’re operating in a virtual environment. How do you get around this? Obviously, it is difficult to know the tactics, techniques, and procedures (TTPs) used by cybercriminals before you have analyzed their malware, but an educated guess can help you spoof certain conditions to make your virtualization believable.
• For malware that is trying to evade and escape virtual environments, you must lock down your network. General best practices for malware analysis still apply – using a dedicated malware analysis system, air gapping if possible – the MITRE ATT&CK framework also suggests ensuring best practices for the following forms of detection:

DS0017 | Command Execution | 

DS0009 | Process Execution | OS API Execution and Process Creation

Where can I find more about virtualization/sandbox evasion?

The following entries in the MITRE ATT&CK framework relate to offensive actions the adversary takes to evade virtualization/sandboxes:

• T1497.001 – System Checks
• T1497.002 – User Activity Based Checks
• T1497.003 – Time Based Evasion

If you would like to find out more about another company working on MITRE ATT&CK Framework  sandbox evasion, here is a fantastic talk given by Francis Guibernau of Deloitte in 2020.