{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/time-based-evasion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["time-based-evasion","malware","persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of \u003ccode\u003echoice.exe\u003c/code\u003e being used within batch files as a time-delay tactic, a technique notably employed by the SnakeKeylogger malware. The analysis leverages data from Endpoint Detection and Response (EDR) agents, scrutinizing process names and command-line executions. This behavior is significant because it suggests the implementation of time-based evasion techniques designed to circumvent detection mechanisms. Successful evasion could enable attackers to execute malicious code covertly, remove incriminating files, and establish persistent access on compromised systems. The use of \u003ccode\u003echoice.exe\u003c/code\u003e for such purposes warrants immediate investigation by security operations center (SOC) analysts due to the potential for significant system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access via an unknown vector.\u003c/li\u003e\n\u003cli\u003eA batch script is executed on the target system.\u003c/li\u003e\n\u003cli\u003eThe batch script uses \u003ccode\u003echoice.exe\u003c/code\u003e with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to introduce a time delay. The \u003ccode\u003e/T\u003c/code\u003e parameter specifies a timeout period, and the \u003ccode\u003e/N\u003c/code\u003e parameter suppresses the display of choices.\u003c/li\u003e\n\u003cli\u003eThis delay allows the malware to evade time-sensitive detection mechanisms.\u003c/li\u003e\n\u003cli\u003eAfter the delay, the script executes further commands, potentially downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes, installing a keylogger such as SnakeKeylogger or 0bj3ctivity Stealer.\u003c/li\u003e\n\u003cli\u003eThe keylogger captures sensitive information such as keystrokes and clipboard data.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a remote server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data theft, intellectual property loss, and financial fraud. SnakeKeylogger and similar malware have been used to steal credentials and sensitive information from various targets. Successful exploitation could result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker\u0026rsquo;s objectives and the compromised systems\u0026rsquo; value.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Choice.exe Time Delay\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003echoice.exe\u003c/code\u003e with time-delay parameters (log source: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003echoice.exe\u003c/code\u003e being used with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to determine if it is part of a malicious script.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted batch scripts to prevent the initial execution of the malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint activity for suspicious processes and network connections originating from systems where \u003ccode\u003echoice.exe\u003c/code\u003e has been detected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-time-based-evasion-choice/","summary":"Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.","title":"Windows Time-Based Evasion via Choice Exec","url":"https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion-choice/"}],"language":"en","title":"CraftedSignal Threat Feed — Time-Based-Evasion","version":"https://jsonfeed.org/version/1.1"}