User Activity Based Checks

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of check for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks, browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro or waiting for a user to double click on an embedded image to activate.

Example

In this example will be using all with user permission, of course we can grab more activity like logs, and registry info but these will require more elevated permissions from here we will just make sure the User has files in their Documents Folder, something above 10 files so we know that is a legitimate active user and not a recently created, in a virtual environment only used for Debuggers.

Above you see the code used in PowerShell to found the count of how many files are in the Documents Directory. If the count is above 8 then it will print out OK but if not then a simple NOPE will run instead.

We see above that we have 8 Files in the Documents Directory just to verify this, so now by executing our script it should just print NOPE.

Exactly as intended, this is another good method to evade systems as we verify if this is an actual working and active user for an environment that has working files or is at least active in a working environment folder which Documents, Downloads, Pictures are very common for employees.