I ran across Manuel Arrieta‘s Hunting Fileless Malware in the Windows Registry article recently, and found it to be an interesting read.
Let me start by saying that the term “fileless malware”, for me, is like finger nails dragged down a chalkboard. Part of this is due to the DarkWatchman write-up, where the authors stated that some parts of the malware were “…written to the Registry to avoid writing to disk.” That kind of distinction has always just rubbed me the wrong way. However, regardless of what we call it, I do “get” the concept behind the turn of phrase, and why folks tend to feel that this sort of thing is more difficult to detect than malware that actually writes a file to disk. I’m not sure why they feel that way…maybe it’s because this code that downloads the malware and injects it directly into memory (in some cases) can reside anywhere on the system, and within any Registry value. However, the key is that this somehow needs to remain persistent, which limits the number of locations for the code that initiates the download, accesses the shellcode, or performs whichever initiating function.
In his article, Manuel discusses the use of LOLBins to write information to the Registry, and how this can be used for detection. He references several LOLBins, and something that we have to keep in mind is that there’s often more to these detections than just what we see on the surface. For exa
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: