{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/njrat/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["NJRAT"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["time-based-evasion","njrat","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying a specific time-based evasion technique employed by malware, including NJRAT. The technique involves initiating a ping command to an invalid IP address (\u0026quot;ping 0 -n\u0026quot;), which introduces a delay. This delay can be used to evade detection by security tools or to postpone malicious actions, such as self-deletion, until a later time. This behavior is typically observed on Windows endpoints and leverages the native \u003ccode\u003eping.exe\u003c/code\u003e utility. The detection logic analyzes endpoint telemetry for command-line executions matching this pattern. Identifying and responding to this activity is crucial, as it indicates a potential attempt to evade security controls and maintain a persistent presence within the compromised environment. The timeframe for this technique has been observed since NJRAT's emergence and continues to be relevant as an evasion tactic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eMalware (e.g., NJRAT) is deployed on the compromised endpoint.\u003c/li\u003e\n\u003cli\u003eThe malware executes \u003ccode\u003eping.exe\u003c/code\u003e with the argument \u003ccode\u003eping 0 -n \u0026lt;seconds\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eping\u003c/code\u003e command attempts to resolve the invalid IP address, causing a delay.\u003c/li\u003e\n\u003cli\u003eDuring the delay, the malware may perform other malicious activities, such as collecting system information or establishing persistence.\u003c/li\u003e\n\u003cli\u003eAfter the delay, the malware continues its primary objective, which may include data exfiltration, remote control, or self-deletion.\u003c/li\u003e\n\u003cli\u003eThe self-deletion is delayed through ping, so that security tools won't notice the malicious program present on the host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using time-based evasion can allow malware to remain undetected for a longer period. This can lead to increased data exfiltration, prolonged remote access, and greater damage to the compromised system. Time-based evasion is a common technique among malware, potentially affecting a broad range of organizations. The impact includes increased dwell time for attackers, which gives them more opportunities to compromise sensitive data and systems. If successful, this evasion can lead to the deployment of ransomware or other destructive payloads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Time Based Evasion via Ping Delay\u003c/code\u003e to identify processes executing the \u003ccode\u003eping 0 -n\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e0 -n\u003c/code\u003e argument to determine if it is associated with malicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary command-line information for the detection.\u003c/li\u003e\n\u003cli\u003eEnsure that endpoint detection and response (EDR) agents are configured to collect and forward process execution data.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003ehttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\u003c/code\u003e for more information about NJRAT and its tactics.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion/","summary":"This analytic detects potentially malicious processes initiating a ping delay using an invalid IP address, a tactic used by malware like NJRAT to evade detection by delaying actions.","title":"Windows Time-Based Evasion via Ping Delay","url":"https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed - Njrat","version":"https://jsonfeed.org/version/1.1"}