TECHNIQUES

Priority Definition Planning

Assess current holdings, needs, and wants

Assess KITs/KIQs benefits

Assess leadership areas of interest

Assign KITs/KIQs into categories

Conduct cost/benefit analysis

Create implementation plan

Create strategic plan

Derive intelligence requirements

Develop KITs/KIQs

Generate analyst intelligence requirements

Identify analyst level gaps

Identify gap areas

Receive operator KITs/KIQs tasking

Priority Definition Direction

Assign KITs, KIQs, and/or intelligence requirements

Receive KITs/KIQs and determine requirements

Submit KITs, KIQs, and intelligence requirements

Task requirements

Target Selection

Determine approach/attack vector

Determine highest level tactical element

Determine operational element

Determine secondary level tactical element

Determine strategic target

Technical Information Gathering

Acquire OSINT data sets and information

Conduct active scanning

Conduct passive scanning

Conduct social engineering

Determine 3rd party infrastructure services

Determine domain and IP address space

Determine external network trust dependencies

Determine firmware version

Discover target logon/email address format

Enumerate client configurations

Enumerate externally facing software applications technologies, languages, and dependencies

Identify job postings and needs/gaps

Identify security defensive capabilities

Identify supply chains

Identify technology usage patterns

Identify web defensive services

Map network topology

Mine technical blogs/forums

Obtain domain/IP registration information

Spearphishing for Information

People Information Gathering

Acquire OSINT data sets and information

Aggregate individual's digital footprint

Conduct social engineering

Identify business relationships

Identify groups/roles

Identify job postings and needs/gaps

Identify people of interest

Identify personnel with an authority/privilege

Identify sensitive personnel information

Identify supply chains

Mine social media

Organizational Information Gathering

Acquire OSINT data sets and information

Conduct social engineering

Determine 3rd party infrastructure services

Determine centralization of IT management

Determine physical locations

Identify business processes/tempo

Identify business relationships

Identify job postings and needs/gaps

Identify supply chains

Obtain templates/branding materials

Technical Weakness Identification

Analyze application security posture

Analyze architecture and configuration posture

Analyze data collected

Analyze hardware/software security defensive capabilities

Analyze organizational skillsets and deficiencies

Identify vulnerabilities in third-party software libraries

Research relevant vulnerabilities/CVEs

Research visibility gap of security vendors

Test signature detection

People Weakness Identification

Analyze organizational skillsets and deficiencies

Analyze social and business relationships, interests, and affiliations

Assess targeting options

Organizational Weakness Identification

Analyze business processes

Analyze organizational skillsets and deficiencies

Analyze presence of outsourced capabilities

Assess opportunities created by business deals

Assess security posture of physical locations

Assess vulnerability of 3rd party vendors

Adversary OPSEC

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Anonymity services

Common, high volume protocols and software

Compromise 3rd party infrastructure to support delivery

Host-based hiding techniques

Misattributable credentials

Network-based hiding techniques

Non-traditional or less attributable payment options

Obfuscate infrastructure

Obfuscate operational infrastructure

Obfuscate or encrypt code

Obfuscation or cryptography

OS-vendor provided communication channels

Private whois services

Proxy/protocol relays

Secure and protect infrastructure

Establish & Maintain Infrastructure

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Buy domain name

Compromise 3rd party infrastructure to support delivery

Create backup infrastructure

Domain registration hijacking

Install and configure hardware, network, and systems

Obfuscate infrastructure

Obtain booter/stressor subscription

Procure required equipment and software

SSL certificate acquisition for domain

SSL certificate acquisition for trust breaking

Use multiple DNS infrastructures

Persona Development

Build social network persona

Choose pre-compromised mobile app developer account credentials or signing keys

Choose pre-compromised persona and affiliated accounts

Develop social network persona digital footprint

Friend/Follow/Connect to targets of interest

Obtain Apple iOS enterprise distribution key pair and certificate

Build Capabilities

Build and configure delivery systems

Build or acquire exploits

C2 protocol development

Compromise 3rd party or closed-source vulnerability/exploit information

Create custom payloads

Create infected removable media

Discover new exploits and monitor exploit-provider forums

Identify resources required to build capabilities

Obtain/re-use payloads

Post compromise tool development

Remote access tool development

Test Capabilities

Review logs and residual traces

Test ability to evade automated mobile application security analysis performed by app stores

Test callback functionality

Test malware in various execution environments

Test malware to evade detection

Test physical access

Test signature detection for file upload/email filters

Stage Capabilities

Disseminate removable media

Distribute malicious software development tools

Friend/Follow/Connect to targets of interest

Hardware or software supply chain implant

Port redirector

Upload, install, and configure software/tools

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Replication Through Removable Media

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Compromise Hardware Supply Chain

Trusted Relationship

Default Accounts

Domain Accounts

Command and Scripting Interpreter

Windows Command Shell

JavaScript/JScript

Exploitation for Client Execution

Inter-Process Communication

Component Object Model

Dynamic Data Exchange

Scheduled Task/Job

Software Deployment Tools

System Services

Service Execution

Windows Management Instrumentation

Account Manipulation

Additional Azure Service Principal Credentials

Exchange Email Delegate Permissions

Add Office 365 Global Administrator Role

SSH Authorized Keys

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Plist Modification

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Browser Extensions

Compromise Client Software Binary

Create or Modify System Process

Systemd Service

Windows Service

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

.bash_profile and .bashrc

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

External Remote Services

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Implant Container Image

Office Application Startup

Office Template Macros

Outlook Home Page

System Firmware

Component Firmware

Scheduled Task/Job

Server Software Component

SQL Stored Procedures

Transport Agent

Traffic Signaling

Default Accounts

Domain Accounts

Privilege Escalation

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Access Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Plist Modification

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Create or Modify System Process

Systemd Service

Windows Service

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

.bash_profile and .bashrc

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

Exploitation for Privilege Escalation

Group Policy Modification

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Doppelgänging

Process Hollowing

Scheduled Task/Job

Default Accounts

Domain Accounts

Defense Evasion

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Access Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Deobfuscate/Decode Files or Information

Direct Volume Access

Execution Guardrails

Environmental Keying

Exploitation for Defense Evasion

File and Directory Permissions Modification

Windows File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Group Policy Modification

Hidden Files and Directories

NTFS File Attributes

Hidden File System

Run Virtual Instance

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Impair Defenses

Disable or Modify Tools

Disable Windows Event Logging

Disable or Modify System Firewall

Indicator Blocking

Disable or Modify Cloud Firewall

Indicator Removal on Host

Clear Windows Event Logs

Clear Linux or Mac System Logs

Clear Command History

Network Share Connection Removal

Indirect Command Execution

Invalid Code Signature

Right-to-Left Override

Rename System Utilities

Masquerade Task or Service

Match Legitimate Name or Location

Space after Filename

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Modify Cloud Compute Infrastructure

Create Snapshot

Create Cloud Instance

Delete Cloud Instance

Revert Cloud Instance

Modify Registry

Obfuscated Files or Information

Software Packing

Compile After Delivery

Indicator Removal from Tools

System Firmware

Component Firmware

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Doppelgänging

Process Hollowing

Rogue Domain Controller

Signed Binary Proxy Execution

Compiled HTML File

Signed Script Proxy Execution

Subvert Trust Controls

Gatekeeper Bypass

SIP and Trust Provider Hijacking

Install Root Certificate

Template Injection

Traffic Signaling

Trusted Developer Utilities Proxy Execution

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Pass the Ticket

Application Access Token

Web Session Cookie

Default Accounts

Domain Accounts

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

XSL Script Processing

Credential Access

Password Guessing

Password Cracking

Password Spraying

Credential Stuffing

Credentials from Password Stores

Securityd Memory

Credentials from Web Browsers

Exploitation for Credential Access

Forced Authentication

GUI Input Capture

Web Portal Capture

Credential API Hooking

Man-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Sniffing

OS Credential Dumping

Security Account Manager

Proc Filesystem

/etc/passwd and /etc/shadow

Cached Domain Credentials

Steal Application Access Token

Steal or Forge Kerberos Tickets

Steal Web Session Cookie

Two-Factor Authentication Interception

Unsecured Credentials

Credentials In Files

Credentials in Registry

Cloud Instance Metadata API

Group Policy Preferences

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Cloud Service Dashboard

Cloud Service Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Remote System Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

Lateral Movement

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking

Remote Services

Remote Desktop Protocol

SMB/Windows Admin Shares

Distributed Component Object Model

Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material

Pass the Ticket

Application Access Token

Web Session Cookie

Archive Collected Data

Archive via Utility

Archive via Library

Archive via Custom Method

Automated Collection

Data from Cloud Storage Object

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Local Data Staging

Remote Data Staging

Email Collection

Local Email Collection

Remote Email Collection

Email Forwarding Rule

GUI Input Capture

Web Portal Capture

Credential API Hooking

Man in the Browser

Man-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

Command and Control

Application Layer Protocol

File Transfer Protocols

Communication Through Removable Media

Standard Encoding

Non-Standard Encoding

Data Obfuscation

Protocol Impersonation

Dynamic Resolution

Domain Generation Algorithms

DNS Calculation

Encrypted Channel

Symmetric Cryptography

Asymmetric Cryptography

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Multi-hop Proxy

Domain Fronting

Remote Access Software

Traffic Signaling

Dead Drop Resolver

Bidirectional Communication

One-Way Communication

Automated Exfiltration

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium

Exfiltration Over Bluetooth

Exfiltration Over Physical Medium

Exfiltration over USB

Exfiltration Over Web Service

Exfiltration to Code Repository

Exfiltration to Cloud Storage

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

Runtime Data Manipulation

Internal Defacement

External Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

OS Exhaustion Flood

Service Exhaustion Flood

Application Exhaustion Flood

Application or System Exploitation

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Direct Network Flood

Reflection Amplification

Resource Hijacking

System Shutdown/Reboot

Deliver Malicious App via Authorized App Store

Deliver Malicious App via Other Means

Drive-by Compromise

Exploit via Charging Station or PC

Exploit via Radio Interfaces

Install Insecure or Malicious Configuration

Lockscreen Bypass

Masquerade as Legitimate Application

Supply Chain Compromise

Broadcast Receivers

Abuse Device Administrator Access to Prevent Removal

Broadcast Receivers

Compromise Application Executable

Foreground Persistence

Modify Cached Executable Code

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Privilege Escalation

Exploit OS Vulnerability

Exploit TEE Vulnerability

Defense Evasion

Application Discovery

Disguise Root/Jailbreak Indicators

Download New Code at Runtime

Evade Analysis Environment

Input Injection

Install Insecure or Malicious Configuration

Masquerade as Legitimate Application

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Obfuscated Files or Information

Suppress Application Icon

Uninstall Malicious Application

Credential Access

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Android Intent Hijacking

Capture Clipboard Data

Capture SMS Messages

Exploit TEE Vulnerability

Network Traffic Capture or Redirection

URL Scheme Hijacking

Application Discovery

Evade Analysis Environment

File and Directory Discovery

Location Tracking

Network Service Scanning

Process Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Attack PC via USB Connection

Exploit Enterprise Resources

Access Calendar Entries

Access Call Log

Access Contact List

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Capture Clipboard Data

Capture SMS Messages

Data from Local System

Foreground Persistence

Location Tracking

Network Information Discovery

Network Traffic Capture or Redirection

Command and Control

Alternate Network Mediums

Commonly Used Port

Domain Generation Algorithms

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Uncommonly Used Port

Alternate Network Mediums

Commonly Used Port

Standard Application Layer Protocol

Carrier Billing Fraud

Clipboard Modification

Data Encrypted for Impact

Delete Device Data

Generate Fraudulent Advertising Revenue

Input Injection

Manipulate App Store Rankings or Ratings

Modify System Partition

Network Effects

Downgrade to Insecure Protocols

Eavesdrop on Insecure Network Communication

Exploit SS7 to Redirect Phone Calls/SMS

Exploit SS7 to Track Device Location

Jamming or Denial of Service

Manipulate Device Communication

Rogue Cellular Base Station

Rogue Wi-Fi Access Points

Remote Service Effects

Obtain Device Cloud Backups

Remotely Track Device Without Authorization

Remotely Wipe Data Without Authorization

Virtualization/Sandbox Evasion: User Activity Based Checks

Other sub-techniques of Virtualization/Sandbox Evasion (3)

ID	Name
T1497.001	System Checks
T1497.002	User Activity Based Checks
T1497.003	Time Based Evasion

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks ^[1] , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro ^[2] or waiting for a user to double click on an embedded image to activate.^[3]

ID: T1497.002

Sub-technique of: T1497

Tactics: Defense Evasion, Discovery

Platforms: Linux, Windows, macOS

Data Sources: Process command-line parameters, Process use of network

Defense Bypassed: Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis

Contributors: Deloitte Threat Library Team

Version: 1.0

Created: 06 March 2020

Last Modified: 01 July 2020

Version Permalink

Live Version

Procedure Examples

Name	Description
FIN7	FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.^[3]
Okrum	Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.^[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References