Open in app

Sign in

Write

Sign in

Exploring the Frontier: Insights from ATT&CK Evaluations Managed Services Round 2

Lex Crumpton
MITRE-Engenuity
Published in
7 min readAug 20, 2024

Written by Rachel Doucet and Lex Crumpton

Introduction: Round 2 of ATT&CK Evaluations Managed Services

Round 2 of ATT&CK Evaluations: Managed Services has concluded, where 11 participants underwent rigorous testing. In the ever-evolving realm of cybersecurity, threat actors like menuPass and ALPHV BlackCat continue to pose significant challenges to organizations worldwide. These adversaries are known for their sophisticated tactics, including the use of Defense Evasion and specifically — fileless malware, which presents a formidable challenge for defenders. In this blog post, we’ll delve into one such technique employed by these threat groups: Reflective Code Loading (T1620). We’ll explore how adversaries leverage this technique to conceal their malicious activities, examine real-world examples, discuss detection strategies, and provide remediation techniques to bolster your organization’s defenses.

Evolution is the name of the game in our field. Just as species adapt to their environment, technology evolves to meet new challenges. As threat hunters, we’re constantly exploring uncharted territories, evolving our capabilities to keep pace. Round 2 was all about adaption, reflecting the demands of an ever-changing landscape.

Understanding Fileless Malware

Defense evasion is a sophisticated tactic employed by cyber adversaries to bypass security measures and evade detection while carrying out malicious activities. When it comes to fileless malware, which operates entirely in memory without leaving traces on the disk, defense evasion becomes even more challenging to detect.

Traditionally, malware operates by infecting files on a system, executing code when those files are opened or executed. However, fileless malware takes a different approach. Instead of relying on malicious files, fileless malware operates in memory, using legitimate system processes and tools to carry out its nefarious activities. This makes it incredibly stealthy and difficult to detect using traditional security products.

Reflective Code Loading

Let’s look at some of those examples and follow the trail through Reflective code loading. You can find Reflective Code Loading techniques executed across multiple platforms such as Linux, Mac OSX, and Windows. Round 2 showcased eight Windows specific Reflective code loading techniques from both Defense Evasion (TA0005) and Execution (TA0002) tactics. Although not a new technique and one that is widely used today, participants often misclassified the activity or did not report on it at all.

Adversaries rely on the ability to execute a payload while avoiding touching the file system altogether and reflective code loading gives them that advantage. Instead of executing payloads by creating a thread or process backed by a file path on disk, reflective code loading allocates the executing payload directly in memory. This allows adversaries to hide the execution of their payloads. The dominance of memory execution increases their flexibility, stealth, and ability to deter basic defenses.

Facing the Threat: menuPass

menuPass, also known as APT10, is a state-sponsored advanced persistent threat (APT) group linked to espionage activities. They target a wide range of industries, particularly focusing on organizations in the healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally. menuPass is known for their use of complex malware and techniques, including initial access via harvested credentials for sensitive information and intellectual property. For Managed Services, menuPass used a suite of malware including Sigloader, P8RAT, FYAnti, Impacket, and QuasarRat.

Image 1: menuPass Initial Compromise

An Example from menuPass

menuPass diversified their performance providing us with these examples which gave us insight on how participants handled their fileless maneuvers. For example, SigLoader is a multi-layer loader that loads and decrypts the target payload. Eventually, SigLoader will load the first payload, FYAnti, in memory. FYAnti decrypts the first embedded .NET module and reflectively loads executing the module using the CppHostCLR technique to avoid dropping additional files to disk. The malware makes use of CppHostCLR due its ability to inject and execute the .NET loader assembly without extraction to disk. The clr.dll is loaded into memory of the host followed by the .NET code loaded into the C++ process space.

Image 2: FYAnti Infection Flow diagram
Image 3: SigLoader Reflective Code Loading source code
Image 4: FYAnti reflectively loading assembly from memory

Detecting and Defending Against Fileless Malware

Detecting fileless malware and adversary techniques requires a multi-faceted approach. Relying on traditional host logs such as Windows event logs and Sysmon solely will not reveal enough fidelity to create a solid assurance that this activity is taking place in your environment. Traditional signature-based antivirus solutions may struggle to identify these threats as well, highlighting tools such as those that monitor module loads can be used as a means of detecting processes loading the Common Language Runtime (CLR).

In our menuPass scenario, we often detect reflective code loading on Windows by examining signatures associated with the .NET CLR, such as mscor.dll, mscoree.dll, and clr.dll. These DLLs can be loaded into unconventional processes like notepad.exe, a behavior frequently observed in menuPass operations. While adversaries may refine their techniques over time, certain indicators remain consistent for in-memory .NET execution. These include the presence of CLR-related modules within a process, specific page permissions (such as Read Execute or Read Write), and Portable Executable (PE) headers within these pages. Defenders can enhance detection efforts by monitoring for code artifacts indicative of reflective code loading, such as the misuse of .NET functions like Assembly.Load() and Native API functions like CreateThread().

To detect reflective code loading and other fileless malware techniques, security teams can leverage:

Memory Analysis

Monitor processes for abnormal behavior, such as unexpected memory allocations or executions.

  • Use memory analysis tools (e.g., Volatility, Rekall) to examine memory dumps from potentially compromised systems.
  • Look for suspicious memory allocations that indicate the loading of executable code into memory without using traditional file-based execution.
  • Specifically, focus on memory regions marked as executable (RWX) but not associated with known legitimate processes or system components. These regions could indicate memory-based execution of malicious code.
  • Pay attention to memory regions that are unusually large or have unexpected permissions, as they may be indicative of reflective code loading.

API Execution

Tracking system API calls associated with reflective code loading, such as VirtualAlloc and WriteProcessMemory

  • Analyze memory dump data to identify API calls commonly associated with reflective code loading, such as VirtualAlloc, VirtualProtect, and CreateRemoteThread.
  • Look for patterns of API calls that suggest the injection of malicious code into legitimate processes or the modification of memory permissions to enable code execution.
  • Check for anomalies in the sequence or frequency of API calls, as well as unusual parameters passed to these functions, which may indicate malicious activity.

Behavioral Analytics

Look for anomalies in process behavior, such as processes spawning child processes without legitimate reasons.

  • Conduct behavioral analysis of processes to identify suspicious behavior, such as processes spawning child processes with unexpected characteristics or exhibiting code injection techniques.
  • Look for processes that exhibit characteristics commonly associated with reflective code loading, such as loading libraries or executing code directly from memory.
  • Monitor for processes exhibiting code execution behavior without the creation of corresponding file-based artifacts, which could indicate memory-based execution techniques.

Test for Reflective Code Loading in your Environment

To understand how different adversaries live off the land with this technique, we recommend monitoring for this activity with in your environment or virtual lab. Atomic Red Team, Caldera, and the ATT&CK Evaluations Library is a great place to start. You can also reflectively load a tool into memory using Mimikatz and other common red team tools and frameworks. Those of you familiar with Cobalt Strike’s execute-assembly take advantage of this post-exploitation capability of loading .NET assemblies in memory via unmanaged code without dropping files to disk. Execute-assembly runs .NET executable within memory of sacrificial process by loading the CLR. This technique allows red teamers to get away with all types of actions.

Understanding the variety of ways reflective code loading takes place in your own environment, allows you to not only understand possible capability gaps but gain newfound knowledge and gives you competence to initiate those conversations with the security product’s team. Here are a few examples to help you begin those discussions.

Example questions to pose conversations to your vendors:

  • Are you able to detect Reflective Code Loading (T1620) in your environment? What is your logic for detection or how does your tool detect the activity?
  • What were your thoughts of participating in MITRE ATT&CK Evals MSR2?
  • Do you have any feedback for developers to enhance your product’s analytics or logic?
  • Where did you feel you did well?
  • What could you have done better?
  • Can we execute some of these attacks in a virtual environment and see how your tool performs?
  • Based on the results of MSR2, do you have a plan to make any changes to advance your tool?

Conclusion: Lessons Learned and the Path Forward

Understanding fileless malware and adversary techniques is crucial for modern cybersecurity defense. Organizations must stay vigilant and adapt their defenses as cyber threats continue to evolve. By understanding the techniques employed by threat actors like menuPass, and implementing robust detection strategies, organizations can enhance their security posture and effectively mitigate the risk of fileless malware attacks. Remember, proactive defense is key to staying one step ahead of cyber adversaries.

About MITRE Engenuity ATT&CK® Evaluations

ATT&CK® Evaluations is built on the backbone of MITRE’s objective insight and conflict-free perspective. Cybersecurity vendors turn to the ATT&CK Evals program to improve their offerings and to provide defenders with insights into their product’s capabilities and performance. ATT&CK Evals enables defenders to make better informed decisions on how to leverage the products that secure their networks. The program follows a rigorous, transparent methodology, using a collaborative, threat-informed, purple-teaming approach that brings together vendors and MITRE experts to evaluate solutions within the context of ATT&CK. In line with MITRE Engenuity’s commitment to serve the public good, ATT&CK Evals results and threat emulation plans are freely accessible. https://attackevals.mitre-engenuity.org/

© 2024 MITRE Engenuity, LLC. Approved for Public Release. Document number 23–03986–2.

Adversary Emulation
Managed Service Provider
Detection
Cybersecurity
Evaluation

--

--

Lex Crumpton
MITRE-Engenuity

Written by Lex Crumpton

1.4K Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams