BSidesSF 2026 - Anatomy and Defense of LOTL Fileless Intrusions (Amol Sarwate)

Today I have the privilege of introducing Amal Savvate who is the head of the Cohesidi Red Lab. He's also their director of security research. He's going to be talking today about the anatomy and defense against living off the land fileless intrusions. Please welcome Amal. >> Thank you. All good. All right. So um yeah in the next 45 minutes or so what we'll do is uh um talk about living of the land fileless intrusions. My name is Amul as as as you know and uh we at Red Labs what we do day in and day out is we detonate real malware uh to study its techniques, tactics and various other uh nuances. So let's get started. Uh in the

next as I said 45 minutes or so what we'll do is we'll uh we'll go through some exploitation methods. We'll look at uh some real world examples and actually I have made a short list of four real world uh malware samples and we'll go sort of in detail on their techniques, tactics and how do they work and the reason for that is based on these four different samples which target four different industry verticals. We'll try to find commonalities. We'll try to see uh if we can build an anatomy of a fileless living of the land malware. Now uh most of my talk has uh the acronym is lo living of the land but it's also

called as LOL bin. So basically both of them are the same. And at the end, we'll go over some strategies on how to essentially not get infected or uh what u what what people in IT can do uh to safeguard their organizations. So let's get started. Um I'm not going to go over the entire 30 years of malware uh memory lane or history how it it has been evolving but uh some of the recent things that we have seen is our uh ransomware as a service where uh writing writing ransomware had been made really trivial in the last 10 to 15 years by exploit kits but with this in the last 5 years or so uh deploying the

infrastructure needed to do a ransomware attack that has also been sort of commercialized with ransomware as a service. So that is what we had seen in the last 5 years or so and uh a little bit before that we also saw a lot of supply chain type of attacks and that brings us to what we have today in the red which is the fireless and living of the land attacks. These attacks also have a have got some help from very realistic AI looking uh deception strategies and then we can we can look at those as well. So let's get started and do some quick definition so that we are on the same page on what is

fileless and what is living off the land. And the reason that is in the red sector is because 84% of incidents uh in 2025 according to a bit defender when they studied like hundreds and thousands of events and hundreds and thousands of breaches they found 84% of incidents had living off the land binaries associated with it. So what exactly is fileless and what exactly is living living off the land? I think the definitions are pretty simple. Fileless is anything that operates entirely in RAM. It leaves no executable artifacts behind and living of the land is essentially something that abuses trusted system tools. It tries to blend into normal user or admin activity. And both of these are not

really that new. the pure techniques. For example, the living of the land. This term itself was coined maybe eight years ago at a similar conference like this at Derbycon uh in Kentucky. And um there there were some comparisons made on how uh well humans used to live off the land by just farming or uh trying to do fishing across rivers. essentially trying to live off the resources what they had not carry a lot of things with them and that uh sort of analogy done at Derbycon 8 to 10 years ago sort of stuck and now I think everyone is aware of what living of the land binaries are so anyway with 84% of incidences in 2025 this is

something that definitely cannot be ignored so let's look at what is the initial attack vector for fileless malware. Again, a study from Microsoft um for last year revealed that 47% of initial access was by clickfix type of vulnerabilities or clickfix type of attacks I mean and what happened last year was that uh this clickfix uh type of attacks got um got really uh really really targeted. So what is clickfix? I think a lot of you already know this. Uh clickfix is something where a victim browses or for some reason clicks on a malicious links or clicks on a social post or even just looks or opens an advertisement and they get a pop-up saying that hey something

is wrong you need to fix it. Follow these instructions. The human follows those instructions and um installs malware on his or her machine. Now again as you can see this is nothing there is nothing novel in it. This these type of attacks have been happening for a lot of time now but um again attackers don't really care if it's a novel idea or if it is exploiting something really fancy in technology. They just care whatever works. And as as pointed by that link it's pretty small. uh but when you when you when you get the presentations you can look up at the research done at Microsoft 47% of uh initial access was by clickfix last year

that trumps even fishing which was on top for the last like 10 years or so. So these are some of the examples of your clickfix attacks. on the left top you see uh a chrome um chrome looking screen uh box. What essentially it says is that hey you go to a website it says your chrome is outdated do this this and this to fix it. The second example is from Facebook. You see in the background of the real Facebook which is actually not real but it looks very real. And then on the front there is there are instructions saying that hey you need to update and these all screenshots are again from uh our this this got so much

popular last year that uh hhs.gov GV uh had a brilliant white paper on how living how the click fix vulnerabilities work and uh uh I actually really uh advise you to go and look at that white paper. It's very interesting. Some other examples of recapture as well as the PDF viewers. But I think by far one of my favorite examples is here. So a lot of people are using Office 365 which is essentially uh editing, sharing and collaborating uh with word Excel documents in your browser. And what happens here is the victim opens a word document or what they think is a link to a word document. You see the word document open in the background which is

actually fake and you just get a pop-up saying that hey you need to uh follow these instructions to fix something. the user follows these instructions and get uh affected. So, clickfix was the as as we saw uh the number one attack vector last year uh above fishing. Uh I wouldn't go into fishing because I think that's pretty common. But the third one again in one of those research was malvertisements. And unlike clickfix which relies on social engineering which relies on the user by to perform some action drive by download or malvertisement requires uh essentially no user interaction. The scenario is like this. You go to a website or attackers essentially registered to put their ads on a on

legitimate websites. when you click on ad or when a victim accidentally clicks on ad on my phone when I when I look at some web pages the ads are so strategically kept that it's very difficult not to accidentally hit an ad so when you hit a ad uh it has a JavaScript which fingerprints your browser and uh looks at vulnerabilities in your browser now the browser vendors have been pretty good these days in autopatching vulnerabilities in the browser. But the plugins that are installed in the browser, those are I think the se are are the culprit here because these plugins users could download it from any website. They may be from uh either reputed companies or

some developer who has written the plug-in 10 years ago and has never uh applied a patch or done any um any other work on it. So what happens is uh essentially they fingerprint the browser, fingerprint the plug-in and deploy a deploy a shell code that would work on your browser or your plug-in. So these were the top two uh initial vectors uh the click fix type of vulnerabilities and malvertisements. Uh as I said before, let's look at four different examples of um of real world malware and see how they did the fileless living of the land attacks and then try to find commonalities between them. So these are the four ones that we'll look at today. Asteroth, uh storm

249, cookbook and head crab. each are uh unique in their own sense and also affect uh different type of users. So let's get started four examples and then we'll find commonalities. So Asteroth Asteroth is uh he's a high highly ranked general in the underworld in demonology and his powers are that he is not very strong in physical strength, but I think he he's very strong intellect intellectually and he can make things disappear. And I love how they sort of name their malware and what the malware does because the malware does something very similar as in it is very intelligent as we we will go through this in just a second and it can make things disappear. So Asteroth uses only

legitimate Windows tools. What happens is a victim gets a lnk file and that lnk file when you click the lnk file it is lnk is the windows link file it points to cmd.exe exe which runs WIC which is the Windows uh WI command line a valid utility a utility that is present on all Windows computers and that uh essentially then runs a JavaScript. It calls uh bits admin which is another legitimate Windows utility. Bits admin is used to uh is used to s not in the malware context but generally speaking it is used to download uh do background badge downloads and then what it does is it gets base 65 encoded encoded payload which is put in the NTFS alternate data

streams. Now what is this? So NTFS alternate data streams are essentially you can put any data in a file without uh changing the file size or without uh that data is essentially invisible to explorer. So just like asterol so these this sort of a feature was um introduced back in the days to have compatibility with some uh uh Macbased systems but it's still there. So what the malware does is it downloads uh it uses valid utilities. It uses WMIC downloads B 64 encoded payload puts it in desktop.ini as NTFS ads. By the way it could use any other file but this this particular instance used desktop.ini INI and then it uses sort util which is a legitimate

utility to uh manage certificates but it can also it has some command line parameters which can decode B 64. So it uses s util.exe to decode its uh malicious code and then does something which is called as process hollowing. Now um process hollowing is a technique that uh you essentially um hollow out or you essentially remove the contents of a legitimate process and put your contents in that process and u it also uses red surf 32 which is again a legitimate utility to load the decoded DLS. So it first loads the decoded DLS using red surf 32 and then hollows a process red surf 32 uh for for those who have worked like maybe 20 years ago in writing comm and decom

components on Windows know this very well that it's a utility a Windows utility that is used to register your DL once you write your own DL. So it's again a very legitimate DL but it also loads uh the DL that you pass it as a command line argument. So anyway that was Asteroth very intelligently doing things with the NTFSA ads as well as process hollowing as well as making itself invisible. So that's our first example. Let's go to the second one. This is Storm 249. This uses clickfix uh as the social engine as as its initial vector and uses DLL side loading which we'll uh sort of briefly touch on very quickly. So it uh it

tricks the user with bad or malicious domain names. Just before this there was I think a DNS presentation and uh DNS domains they are still pretty difficult for a normal user maybe not you as a system administrator or maybe not you as someone in the security community but for really people who are not working in security day in and day in and day out it's really difficult for them to uh quickly identify a malicious domain. So uh storm 249 makes use of legitimate looking malicious domains. It uses u curl I think everyone knows curl uh to download its uh powershell code into memory and then it what it does is although it is fileless it does download

a legitimate executable. Now why does it do that and what is this legitimate executable? So it downloads a legitimate executable of uh any program. In this case, it's from a vendor, so I wouldn't like go there. But this legitimate executable has a DLL side loading issue. The reason it downloads a legitimate executable is because all AVs, all EDRs, everyone, they say that, hey, this is an agent that I know about that is signed. It's trusted. So they completely let it pass. And what happens is that this uh particular executable, it's a older executable is vulnerable to a DL side loading issue. Now everybody knows that in Windows when you when executable loads a helper DL. Windows goes through

a sequence of like a little algorithm of where to find this DL. So it will first look it into its current directory. If not, it goes to the registry, it looks at this bad, that path and then there is like a valid algorithm in Windows when an executable loads a DL to see where this DL exists. But some older legitimate binaries like here, they do not specify the exact path, they just load it without the path. And what storm 249 does it it puts its malicious DL in the current directory so that the legitimate process loads the malicious DL. Everyone with me still? It it is a little yeah it is a little confusing and uh the reason it does that is

because the executable is trusted. it is signed. All AVs, EDRs, they trust this because it's a legitimate agent. It does not stop that particular agent uh from running and doing its thing. So that is storm 249 using um DL what is called as DL side loading and click fix that we just saw. All right. So we are down to two. We have two more to go. Cookbooks. cookbox is uh it avoids file system entirely by hiding its logic in the Windows registry. So what it does is it saves it code into multiple windows registry key and value pairs and also writes itself in the run key. So when it executes what it does is it uh reads all

the B 64 encoded code from various different Windows registry location. It uses this um get item property and um couple of other legitimate Windows uh executables to decode the base 64 to append all of this code together and finally uses the PowerShell invoke expression which uh which treats uh string as code to execute it. Um, again a pretty sort of a crafty way of doing things. Uh, by storing it in different registry locations, it avoids detection. You don't have big blobs in one registry key. And yeah, it hides entirely in the Windows registry. All right, so we are down to three. We have our last malware, which is a head crab. Now the first three malware they

target users. This malware target servers. So it targets radius database servers and radius is a memory uh database. It is and and the way it targets it it just does internet scanning to see which uh where are these radius servers exposed to the internet. As of the last three or four years, there were more than a thousand radius servers that were exposed to the internet and had default credentials. So essentially, you just do uh you just enumerate um a certain port and a certain protocol for the machines on the internet. You get their IPs, you check that, hey, does it have a default username and password? So after doing that what it does it it runs the slave

off command. So what radius does with slave off is essentially you can if you have if you log in using the administrative credentials you can ask the server to be exactly as you are. So when you run that slave off command it will copy all the shared objects that you have into its own memory. So it does that. It also copies uh I think seven or eight different uh um RDS or Reddit extensions uh into the victim server so that if a system administrator try to log in or try to see what's happening uh they cannot do that and then it essentially just does crypto mining on these internet accessible servers. So that was our fourth uh example.

So thank you. Thank you for staying awake between these four examples. Now let's let's see if we can extract some commonalities between all between this malware and sort of try to find out what's an anottomy of a fileless uh living of the land binary malware. So first is of course fileless initial access. So what we saw was the fileless initial access is either by the uh LNK shortcuts. It is either by PowerShell execution um or it's by web- based exploits. So um these slides would be available. So you can you can like read through each of them uh offline as well. So the first thing for a fileless initial uh living of the land malware is the

initial access which is by this. Second is inmemory execution. So how does it execute without having a footprint on the machine is we saw things like uh DLL uh side loading. There is another technique which is mentioned there which is a reflective DLL injection. We saw DLL hollowing and all these techniques are it used to be sort of difficult but now with u with internet and with AI and with everything it is pretty easy to write a code like this actually. In fact, on the left box here, these are exactly the Windows calls that you use to uh to stop a current process, to inject code, to put copy your code into that uh process, and

then restart the process with your code. So, uh it's it's pretty much common knowledge now. So you have your initial access, you have in-memory execution and then you uh basically what the malware does is it does not bring down any binaries of its own because they can be hashed. They can any AV or EDR system can easily catch binaries that are being downloaded. So it uses the binaries that are already there. the living of the land binaries which are legitimate binaries signed by either Microsoft or any legitimate vendor. These are the top uh binaries that uh are sort of my favorite but I think you can make your own judgment. So PowerShell.exe exe legitimate use is for

automation and for configuration management but it's also used for uh executing malicious scripts uh sir util.exe legitimate use is to manage digital certificates but with certain command line parameters it can be used to uh used to decode base 64 encoded payloads and uh things like that. Bits admin the legitimate use is it's the background file transfer job service but it can also be used to download uh malicious code um and then there are many other services here possibly I'll I'll not go through all of them red serve 32 again a very uh the legitimate use of that service is to register your com and decom components your DL components in the system but of course it can also be

used to load malicious uh DLS on your system. We have uh WIC which is the uh WI command line that can also be used uh for doing bad things. And last but not least is the good old 40-year-old curl utility which can be used to download uh download code. So the anatomy looks like fileless access inmemory execution use of living of the land uh binaries and the last thing is persistence. So how does uh fileless malware persist after you know a reboot or something like that. So a pretty uh common technique these days is using the one that the box on the right which is the Wii repository. So what one can do is they can use WI.

Everyone knows what WI is, right? It's the Windows management interface. And in WI you can create hooks saying that if this event occurs, execute this function and that event could be a reboot or that event could be a restart. So effectively instead of writing anything on the disk malware uses the WI repository to register events saying that if it's uh if there is a reboot or a restart or something like that I want to persist and the way it does that is it creates it own its own WI codes creates a handler registers it to WI and says that at every restart do this of course on the left side the leftmost box is age-old technique of uh putting your

malware in the run box in the run registry key so that it runs every time uh your machine reboots. So really interesting new and old ways a combination of new and old ways for doing all of this for doing persistence for doing in-memory execution as well as uh initial access. So this was um more or less on the anatomy of how it works. Let's talk about defense. So what can we do? And before going into the technical mumbo jumbo of things I think I want to say is the biggest defense is the is to build human resilience and that has been there for last so many years and will be here I think for many more years to go as

well. What that means is to um to really educate your users on knowing what does the lure looks like fix it type of things or a lure to or a bait to download certain things or execute to certain things. So training users uh to identify this goes a long way. Training ident users to identify malicious domain names also goes a long way. Uh domains are some domain names are something where you can easily replace a O with a zero and it looks very similar on the first look or if you or you put a dash in between and say Microsoft-support- something.com and yeah it has the word Microsoft in it. It has the word support

in it and looks pretty legitimate. So training users on how to identify malicious domains. uh training users on never to run any commands uh that u that any website asks them to run. What has been shown is that 82% of uh attacks have their initial vector as something related to a human interaction and 70% of those attacks could have been avoided by proper training. Now this is uh these are pretty uh impressive numbers. Last but not least is browser and system hygiene. So as I said the browser vendors are doing pretty good job of autoupdating the browsers. Uh hopefully you are also doing the same thing in your organization as in auto updating the browser but also updating

the plugins that uh users download and these plugins have unrestricted access to what data goes into the browser. So really making sure that um in your organization you scan for the browser plugins and check for vulnerabilities um and have users train to report uh things as soon as they think something is malicious. So I think I I spend a lot of time on building human resilience because although it may not sound very sort of sexy, it is uh pretty important. Let's go to some technical uh things that we can do. Windows ASR. So, Windows ASR rules are not enabled by default. And these are four of my favorite rules or not really favorite, but four of the

rules that could have blocked uh Asteroth or Storm 249 that we saw before. So, essentially uh blocking persistence through WI. There are very few programs that would want to uh that very legitimate programs that would want to register a Wii handler every time a machine boots or not or at least you know of all the programs that are deployed or applications deployed in your environment. So if you get u an event saying that some program is trying to copy itself or save itself in the Wii event subscription then you need to really be alerted of that block execution of officated code. So that's this could have stopped cookbook and other cookbooks and other malware. So

take take a look at Windows ASR rules. There are like a dozen or two dozen ASR rules and as always uh don't run them in uh blocking mode initially. That's a sure short way to lose your job. Uh first uh run them uh in a mode where you can just see what are the uh rules being triggered, alerts being triggered and based on your environment then slowly start uh blocking on things. Memory protection I think uh DP data execution prevention I think that's on by default in most Windows subsystems but make sure that is on that make sure that when uh malware does things like process helloing when they copy their code the in the data part uh Windows itself makes

the data part not executable so the code cannot execute or ASLR address space layout randomization which makes it very difficult for malware to guess memory addresses. PowerShell lockdown in most of these malware living off the land malware as well as fileless malware PowerShell plays a huge part and one does not need to completely stop using PowerShell for or let uh not let your users use PowerShell. But PowerShell can be used in a constrained language mode. And when you uh enable these constraints, what happens is that uh PowerShell is uh is used in only only a small subset of functionality which is most commonly used is allowed. So PowerShell will uh creation of com objects is generally

blocked. um command uh various different command lines are blocked and script execution and things like are are blocked. So using the PowerShell lockdown mode allows the user or any other legitimate programs that are in your orc to run but it does not allow very um functionality that is abused by malware most of the time to be used. M so the whole premise here is malware is using binaries that are already there and are already trusted. So what if we just reduce the footprint? We just remove the binaries that are not needed or restrict them or audit them. So uh at the end of this slide there is uh well let's just go there. So focus on commonly attacked

binaries s util bits admin things like that. Um a lot of times it's not possible to completely block them but you can at least block them from uh connecting to the internet and reaching to the C2 servers. So a lot of these binaries could be okay if they are just talking inside of your org but uh having them reach outside to malicious IPs and malicious domains that is something that can easily be blocked. auditing. I think uh there are there are a lot of audit events that can be used to see what PowerShell commands are running even if they are running in offsecated mode. The audit log certain audit logs will log the commands after their after uh

deofficating. So that is something that can be done. And uh this is a project that I was talking about. It's the open-source project on GitHub. It has a list of all the living of the land binaries that uh have been seen. It could and and it has various different detection rules, sigma rules, yara rules to detect those. So uh make use of this project, contribute to this project if you can, but definitely make use of this open-source GitHub project to uh study the living of the land uh binaries. Advanced logging is uh is is definitely needed. As I said, you could uh log PowerShell commands even if they are base 64 encoded. You could see them in

clear text by logging correct logs. You can log uh WI activity like we mentioned looking for persistence mechanisms as well as uh task scheduler logging. Last but not least, this is a behavioral monitoring side. This is essentially what your EDR does. I won't go through this entire slide, but a good EDR is a good also a good uh effective mechanism. It does process uh behavior analysis, script execution monitoring, memory analysis, a lot of things. So I think this slide is something as uh that you can go home and take a look at and see if your uh EDR or what you use in your organization has check boxes at least for uh most of them.

So to conclude I think the key takeaways here are fileless and living of the land attacks are now the dominant threats. You saw 47% uh living off the land attacks or 87% for fileless intrusions. Really really huge initial access increasingly is becoming uh exploiting human trust. Legitimate tools are the new threats. So the tools that you have on your machine, those are the new threats. But what we can do is we can look at or what we did was we looked at different malware, looked at the similarities, looked at their fileless initial access inmemory execution and sort of built a picture of what uh anomaly anatomy of a fileless malware looks like. And then we also

looked at some behavioral based detection as well as defenses. So this is a lot of content but uh I I would really uh like to connect with you now or after this presentation to sort of brainstorm and see what you think. So thank you and I would like to open up for questions. Thank you very much. As a reminder, if you'd like to ask questions, please do so via Slido. That is at bsidesf.orgqna. /QNA. We have a couple questions already, so I'll go ahead and ask the first one. How would you write a Sorakotta rule for something like Tactical RMM, which is free and open source software and can be self-hosted by an attacker? It uses

HTTPS and port 443 for command and control. >> Mhm. That that that's that's a really great question. So, this is essentially a software that uh uses TLS 443 and and sorry, what was the other thing? uh the fact that it's free and open source software can be hosted by the attacker. >> It could be hosted by the attacker. So if this is something that is um on a attacker machine, I think your best bet is if you have feeds from um various vendors give you this feed virus total or reversing lab or things like that. there is a continuous stream of bad IP addresses uh where the attacker would host it or bad domains where the

attacker could host it. You could sort of monitor those feeds and on a and these feeds uh change like almost every minute or so. So it really depends on how quickly you one can um update those feeds. So one and and I'm sure there there there can be if we brainstorm there can be many solutions but one of the solutions could be if something is hosted by the attacker uh use these feeds to find the malicious IPs and host names where it is hosted and then write a detection based on on on that. >> Okay. Thank you. and and again I'm sure there there would be much more elegant solutions if uh you know we sat down and

we chat we can come up with something better as well. >> All right I have another question. Many of these tactics abuse features of these living off the land binaries that might be removed. Have any of these attacks been defeated by just destroying that pathway altogether? >> Uh not that I know of. What happens is when a program is done and released uh well actually CIS internal tools uh I think they they used to ship with Windows uh a few years ago and I think now you have to download them so they're not being shipped by default. So that is I think a step in the right direction. the arguments to some of the existing

tools. Generally, vendors are a little uh and and there are good reasons for them being reluctant to removing a lot of these arguments because these arguments are used could be used by a legitimate program as well. So for example, red serve 32. It is its legitimate use is to register a bin a DLL a com or a DOM or some DL by loading it and reading its uh where it is located on the disk and registering it in the OS so that next time a program calls that DL the OS exactly knows where that DL is. So it is a little um I would say it is very difficult because you could one could break functionality if

you remove these uh some of these um some of these arguments to the legitimate. >> Okay. Thank you. >> Uh slideo is empty. Do I have any questions from the audience here? >> Uh yes sir. >> I love the presentation. Where will the slides be? Where will the slides be? >> Uh I'm given a question. >> I don't know. Bides has a portal where they put on the slides. It's a standard portal. So I would say just look for it and all the presentations I think are there like >> I will say I do not know how what the delay will be between uh the end of the conference and actually putting the slides online.

>> Anybody else? question down here. Yes. >> The question was once you find one of these intrusions, how do you get rid of it from the computer? >> Um, that's a good question. Uh it's always very difficult once you find an intrusion to 100% make sure that nothing else is infected that it's not gone into the Windows registry or it's not in the W hooked up into WI so that when you reboot it it won't come back and things like that. So my sort of preference is to go like usually most organizations have backups that they do on a periodic basis. So like generally what I would do is uh I would go I would try to go back

to the backups and see when a particular intrusion happened and just restore it from you know one backup before that backup. Uh you can always of course if you don't have backups run antivirus and cleaning tools and things like that but uh my preferred way and I'm I'm sure if you talk with other people everyone would have a lot of more um or other better ways also but my preferred way is try to find when the intrusion happened go one like one backup behind that and just restore it from the clean backup. That's just my my preference. >> All right, we have time for one more question. >> Yes, back there.

>> The question was, uh, we've mentioned that some of these attacks try and install crypto miners. What else might they be trying to accomplish? So the crypto miner was um the last one which uh which did the radius attacks. The first three I think there uh and I think it is in the slides. I think one of the malware it uh it tried to install a ransomware. The other malware was essentially a it used to steal uh files and u put them on the internet and try to collect a ransom that way. So I'm sorry I'm I'm I'm drawing a blank here but if you go back to the slides uh there is um there is uh material on what the malware

essentially accomplished after that after uh successful attack. >> All right thank you very much Amal. Please give him a round of applause. Thank you.