Windows Time-Based Evasion via Ping Delay
This analytic detects potentially malicious processes initiating a ping delay using an invalid IP address, a tactic used by malware like NJRAT to evade detection by delaying actions.
This detection focuses on identifying a specific time-based evasion technique employed by malware, including NJRAT. The technique involves initiating a ping command to an invalid IP address ("ping 0 -n"), which introduces a delay. This delay can be used to evade detection by security tools or to postpone malicious actions, such as self-deletion, until a later time. This behavior is typically observed on Windows endpoints and leverages the native ping.exe utility. The detection logic analyzes endpoint telemetry for command-line executions matching this pattern. Identifying and responding to this activity is crucial, as it indicates a potential attempt to evade security controls and maintain a persistent presence within the compromised environment. The timeframe for this technique has been observed since NJRAT's emergence and continues to be relevant as an evasion tactic.
Attack Chain
- The attacker gains initial access to the system (e.g., via phishing or exploit).
- Malware (e.g., NJRAT) is deployed on the compromised endpoint.
- The malware executes
ping.exewith the argumentping 0 -n <seconds>. - The
pingcommand attempts to resolve the invalid IP address, causing a delay. - During the delay, the malware may perform other malicious activities, such as collecting system information or establishing persistence.
- After the delay, the malware continues its primary objective, which may include data exfiltration, remote control, or self-deletion.
- The self-deletion is delayed through ping, so that security tools won't notice the malicious program present on the host.
Impact
A successful attack using time-based evasion can allow malware to remain undetected for a longer period. This can lead to increased data exfiltration, prolonged remote access, and greater damage to the compromised system. Time-based evasion is a common technique among malware, potentially affecting a broad range of organizations. The impact includes increased dwell time for attackers, which gives them more opportunities to compromise sensitive data and systems. If successful, this evasion can lead to the deployment of ransomware or other destructive payloads.
Recommendation
- Deploy the Sigma rule
Detect Windows Time Based Evasion via Ping Delayto identify processes executing theping 0 -ncommand. - Investigate any identified instances of
ping.exewith the0 -nargument to determine if it is associated with malicious activity. - Enable Sysmon process creation logging (Event ID 1) to capture the necessary command-line information for the detection.
- Ensure that endpoint detection and response (EDR) agents are configured to collect and forward process execution data.
- Review
https://malpedia.caad.fkie.fraunhofer.de/details/win.njratfor more information about NJRAT and its tactics.
Detection coverage 2
Detect Windows Time Based Evasion via Ping Delay
highDetects processes using ping to create delays, an evasion tactic used by malware like NJRAT.
Detect Parent Process Executing Ping Delay
mediumDetects parent processes that initiate ping delays, commonly used for evasion by malware such as NJRAT
Detection queries are available on the platform. Get full rules →