Evasive tools getting more popular with attackers
Penetration testing frameworks designed for lawful "red team" operations have gained traction recently, with a growing number of commercial providers offering increasingly sophisticated capabilities to evade detection.
These frameworks provide an easy way to create and deploy code designed to circumvent and evade the typical security controls found in organizations. Precisely because of that, malicious actors have long since integrated these legitimate tools into their arsenal, leveraging specific features such as endpoint detection evasion capabilities.
Using an established red team tool makes it easier for attackers to deploy malicious code and therefore lowers costs and simplifies operations. In the last few years, threat actors from cybercriminals to advanced persistent threat actors have increasingly turned to red teaming tools to achieve their goals.
Historically, the most abused tool has been Cobalt Strike, followed by Brute Ratel. Recently, a new framework called Nighthawk has appeared on the market, claiming to be the "most advanced and evasive command-and-control framework available". Precisely because of that, it could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal.
Of course, Nighthawk appears to have many technical and procedural controls in its sales and distribution process (as stated in their release following an analysis by Proofpoint), aiming at preventing bad actors getting hold of the latest software versions. It's interesting to note Nighthawk claims they use "a number of unpublished EDR bypass techniques", which they feel should not be publicized as they could come to the attention of bad actors. The Proofpoint blog article detailing Nighthawk's inner workings has since been taken down.
However, the popularity of these tools among threat actors makes it easier to develop countermeasures and advance research. In fact, it's better to have the innovative evasion techniques used by Nighthawk and the like openly documented or at least available for security vendors to analyze and deploy protection.
As tools gain in popularity, detecting them in the wild is becoming easier: take the recent approach by Google to make various Cobalt Strike payloads detectable via open-sourced YARA rules, in order to help the community flag and identify Cobalt Strike’s components and its respective versions.
