catch me if you can! detecting sandbox evasion techniques · catch me if you can! detecting sandbox...
TRANSCRIPT
![Page 1: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/1.jpg)
Enigma 2020 – San Francisco, CA, US
CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES
Francis Guibernau & Ayelen Torello
![Page 2: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/2.jpg)
Enigma 2020 – San Francisco, CA, US
ABOUT US
Francis Guibernau@OutrageousLynx
Security Researcher at Deloitte
Ayelen Torello @TorelloAyelen
Security Researcher at Deloitte
![Page 3: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/3.jpg)
Enigma 2020 – San Francisco, CA, US
Overview - agenda
Identified TechniquesList of techniques and the different categories
defined within Environment Awareness
APT Insight & ConclusionHow we use what we learned in order to
profile and track APT groups.
Definition of the ‘Environment Awareness’ master technique and the purpose behind it
Environment Awareness
Multiple malware examples from each identified category.
In the wild Examples
![Page 4: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/4.jpg)
Enigma 2020 – San Francisco, CA, US
ENVIRONMENT AWARENESS
Environment Awareness is the name provided to the set of high-level techniques used by attackers to attempt to detect
the sandboxing environments, virtual machines or the presence of forensic tools.
![Page 5: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/5.jpg)
Enigma 2020 – San Francisco, CA, US
Techniques
System Architecture1 3 Sub-Techniques
System Background2
TIME-BASED detection3
USER-Based Detection4
Network-Based Detection5
6 Sub-Techniques
5 Sub-Techniques
3 Sub-Techniques
3 Sub-Techniques
![Page 6: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/6.jpg)
Enigma 2020 – San Francisco, CA, US
SYSTEM ARCHITECTURE
System Specifications
System Memory
Disk Properties
CPU Core Count
Hardware Components
Thermal Check
Peripheral Check
Hardware IDs
System footprint
BIOS
UEFI
EFI
![Page 7: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/7.jpg)
Enigma 2020 – San Francisco, CA, US
System ARCHITECTURE
GravityRAT
Hardware IDs
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
Thermal Check
HardwareComponents
HardwareComponents
![Page 8: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/8.jpg)
Enigma 2020 – San Francisco, CA, US
System ARCHITECTURE
GravityRAT
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
System Specifications
CPU Core Count
![Page 9: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/9.jpg)
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
System instrumentation
CPUID Based Instructions
WMI Queries
Process and services
Registry Keys
Mac addresses
System fingerprinting
Artifacts presence
![Page 10: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/10.jpg)
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
System instrumentation
CPUID Based Instructions
WMI Queries
Process and services
Registry Keys
Mac addresses
System fingerprinting
Artifacts presenceHKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions
00:05:69:xx:xx:xx VMWare00:0C:29:xx:xx:xx VMWare00:1C:14:xx:xx:xx VMWare00:50:56:xx:xx:xx VMWare00:15:5D:xx:xx:xx Hyper V00:16:3E:xx:xx:xx Xen54:52:00:xx:xx:xx KVM
C:\windows\System32\Drivers\VBoxMouse.sysC:\windows\System32\Drivers\VBoxGuest.sysC:\windows\System32\Drivers\VBoxSF.sysC:\windows\System32\Drivers\VBoxVideo.sys
![Page 11: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/11.jpg)
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
WMI Queries
GravityRAT
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
System instrumentation
![Page 12: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/12.jpg)
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
GravityRAT
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
Mac addresses
![Page 13: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/13.jpg)
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
GravityRATRegistry Keys
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
![Page 14: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/14.jpg)
Enigma 2020 – San Francisco, CA, US
TIME-BASED DETECTION
time bomb
Scheduled download
System events
Extended sleep
System uptime
![Page 15: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/15.jpg)
Enigma 2020 – San Francisco, CA, US
TIME-BASED DETECTION
Reference: https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/
Systemuptime
upatre
![Page 16: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/16.jpg)
Enigma 2020 – San Francisco, CA, US
USER-BASED DETECTION
software and applications
user interaction
user properties and configurations
![Page 17: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/17.jpg)
Enigma 2020 – San Francisco, CA, US
USER-BASED DETECTION
user interaction
![Page 18: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/18.jpg)
Enigma 2020 – San Francisco, CA, US
USER-BASED DETECTION
fin7
user interaction
![Page 19: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/19.jpg)
Enigma 2020 – San Francisco, CA, US
network-BASED DETECTION
Open Ports
Connectivity Availability
Network Check
![Page 20: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/20.jpg)
Enigma 2020 – San Francisco, CA, US
NETWORK-BASED DETECTION
Network Check
PowerShell Empire
![Page 21: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/21.jpg)
Enigma 2020 – San Francisco, CA, US
Results – APT Tracking
suspected
N. Korea7,5%
suspectedRussia 12% Unknown
28%
suspectedCHINA 30%
According to Vendor’s Group Attribution
![Page 22: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/22.jpg)
Enigma 2020 – San Francisco, CA, US
Results – APT Tracking
Time-based Detection
Time-based Detection
System Background
Network-based Detection
APT 1
TA505
APT 28
Lazarus
According to Vendor’s Group Attribution
![Page 23: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/23.jpg)
Enigma 2020 – San Francisco, CA, US
T1497 – Virtualization/Sandbox Evasion
RESULTS & INSIGHT
Improvement on APT Insight
APT OverlappingEvasion Techniques knowledge
Mitre Framework Updated (2019)
![Page 24: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/24.jpg)
Enigma 2020 – San Francisco, CA, US
Closing remarks
• Evasion techniques are constantly evolving.
• Use different profiles for your Sandbox and avoid generic ones.
• Keep all your systems up-to-date to avoid Malware exploiting known vulnerabilities.
![Page 25: CATCH ME IF YOU CAN! Detecting Sandbox Evasion Techniques · CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES Francis Guibernau & Ayelen Torello. Enigma 2020 –San Francisco,](https://reader030.vdocuments.mx/reader030/viewer/2022041113/5f210ea90f06040d937fca02/html5/thumbnails/25.jpg)
Enigma 2020 – San Francisco, CA, US
QUESTIONS