The document discusses hunting for fileless malware using SysInternals tools and digital forensics techniques. It defines fileless malware as malicious code that infects a computer's dynamic memory rather than files. It then provides examples of hunting fileless malware by checking the boot chain for anomalous processes, gathering detailed information on suspicious processes, and analyzing RAM dumps to obtain indicators of compromise and behavioral details that can be confirmed with file system artifacts.
5. Fileless Malware
● Fileless malware is a new type of malicious code which infects a host
computer’s dynamic memory (RAM).
● As usual, fileless malware is combined with abusing such system tools as
powershell, wmi, windows sdk, etc.
13. Boot Chain. Anomaly Detection
● System
Anomalies in process’s behavior:
● System doesn’t have a parent (origin process run in kernel-mode)
● PID for System isn’t equal 4
● if there are several copies of System
14. Boot Chain. Anomaly Detection
● SMSS
Anomalies in process’s behavior:
● parent process isn’t System
● process directory isn’t %system%system32
● procexp64.exe/procexp.exe shows parent process for winlogon,
wininit or csrss
15. Boot Chain. Anomaly Detection
● CSRSS
Anomalies in process’s behavior:
● process is running as non SYSTEM user
● process directory isn’t %system%system32
Normal process’s behavior:
● one separate instance for each session
● first instance for System: Session0
● second instance for user: Session1
16. Boot Chain. Anomaly Detection
● Wininit
Anomalies in process’s behavior:
● process is running as non SYSTEM user
● process directory isn’t %system%system32
● SMSS isn’t a parent for wininit
Normal process’s behavior:
● process is running from NT AUTHORITYSYSTEM
● process directory is %system%system32
● creates Winsta0 and 2 desktops (Winlogon and
Default) for Session0
● creates Services.exe, Lsass.exe, Lsm.exe
● SMSS is a parent process
● creates %windir%temp
● process started under Session0
17. Boot Chain. Anomaly Detection
● Winlogon
Anomalies in process’s behavior:
● fields such as Shell and Userinit are different than on image upper
● process directory isn’t %system%system32
● procexp64.exe/procexp.exe shows parent process for winlogon
● process isn’t running from NT AUTHORITYSystem
18. Boot Chain. Anomaly Detection
● Explorer
Anomalies in process’s behavior:
● process has TCP/IP connections
● process directory isn’t Windows
19. Boot Chain. Anomaly Detection
● Services
Anomalies in process’s behavior:
● process is running as non SYSTEM user
● process directory isn’t %system%system32
● parent process isn’t Wininit.exe
20. Boot Chain. Anomaly Detection
● Svchost
Anomalies in process’s behavior:
● process is running as non SYSTEM user, Local Service or Network Service
● process directory isn’t %system%system32
● parent process isn’t services.exe
● process doesn’t use tag -k [name]
21. Boot Chain. Anomaly Detection
● LSASS
Anomalies in process behavior:
● process is running as non SYSTEM user
● process directory isn’t %systemroot%system32
● parent process isn’t wininit.exe
● processes with similar but a bit different name: lasss, lssaa, lsas
Normal process behavior:
● process is running as NT AuthoritySYSTEM user
● directory is %systemroot%system32lsass.exe
● parent process is wininit.exe
● only one processes with name lsass.exe
● lsass.exe doesn’t has a child process
● lsass.exe is started under Session0
22. Boot Chain. Anomaly Detection
● LSM
Normal process behavior:
● process is running as NT AuthoritySYSTEM user
● directory is %systemroot%system32
● parent process is wininit.exe
● lsm is a terminal state manager on local host
● lsm.exe doesn’t has a child process
● lsm.exe is started under Session0
Anomalies in process behavior:
● process is running as non SYSTEM user
● process directory isn’t %systemroot%system32
● parent process isn’t wininit.exe
● lsm has a child process
24. Threat Hunting. SysInternals
1 2
● obtain Boot Chain
[ tools as SysInternals or
Digital Forensics RAM dump
analysis techniques ]
● check Boot Chain for
anomaly in process’s
behavioral
● get suspicious processes
● gather more detailed information
about suspicious processes
○ start directory
○ command line
○ parent process
○ start from what user name
○ network activities
○ procexp/procexp64
○ listdlls/listdlls64
○ pipelist/pipelist64
○ strings/strings64
○ netstat -anb / TCPview
25. 3
Threat Hunting. SysInternals
● check gathered suspicious markers
for malicious activities
[ you can use public sandboxes
which present detailed dynamic
analysis, for example: reverse.it ]
● obtain Indicator of Compromised and
malware behavioral