T1027.011 Fileless Storage
Adversaries may store data in “fileless” formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.21
Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.
Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.
Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., %SystemRoot%\System32\Wbem\Repository
) or Registry (e.g., %SystemRoot%\System32\Config
) physical files.2
Item | Value |
---|---|
ID | T1027.011 |
Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011 |
Tactics | TA0005 |
Platforms | Windows |
Version | 1.0 |
Created | 23 March 2023 |
Last Modified | 04 May 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0050 | APT32 | APT32‘s backdoor has stored its configuration in a registry key.38 |
S0631 | Chaes | Some versions of Chaes stored its instructions (otherwise in a instructions.ini file) in the Registry.18 |
S0023 | CHOPSTICK | CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.3 |
S0126 | ComRAT | ComRAT has stored encrypted orchestrator code and payloads in the Registry.87 |
S0673 | DarkWatchman | DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.37 |
S0343 | Exaramel for Windows | Exaramel for Windows stores the backdoor’s configuration in the Registry in XML format.27 |
S0666 | Gelsemium | Gelsemium can store its components in the Registry.9 |
S0531 | Grandoreiro | Grandoreiro can store its configuration in the Registry at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM .24 |
S0256 | Mosquito | Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname] .26 |
S0198 | NETWIRE | NETWIRE can store its configuration information in the Registry under HKCU:\Software\Netwire .25 |
C0012 | Operation CuckooBees | During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.41 |
S0517 | Pillowmint | Pillowmint has stored a compressed payload in the Registry key HKLM\SOFTWARE\Microsoft\DRM .6 |
S0501 | PipeMon | PipeMon has stored its encrypted payload in the Registry under HKLM\SOFTWARE\Microsoft\Print\Components\ .34 |
S0518 | PolyglotDuke | PolyglotDuke can store encrypted JSON configuration files in the Registry.28 |
S0650 | QakBot | QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft .3231 |
S0269 | QUADAGENT | QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as HKCU\Office365DCOMCheck ) in the HKCU hive.36 |
S0662 | RCSession | RCSession can store its obfuscated configuration file in the Registry under HKLM\SOFTWARE\Plus or HKCU\SOFTWARE\Plus .3029 |
S0511 | RegDuke | RegDuke can store its encryption key in the Registry.28 |
S0496 | REvil | REvil can save encryption parameters and system information in the Registry.1114131210 |
S0596 | ShadowPad | ShadowPad maintains a configuration block and virtual file system in the Registry.54 |
S0589 | Sibot | Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.35 |
S0663 | SysUpdate | SysUpdate can store its encoded configuration file within Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER .33 |
S0665 | ThreatNeedle | ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon .23 |
S0668 | TinyTurla | TinyTurla can save its configuration parameters in the Registry.19 |
G0010 | Turla | Turla has used the Registry to store encrypted and encoded payloads.3940 |
S0263 | TYPEFRAME | TYPEFRAME can install and store encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs .20 |
S0476 | Valak | Valak has the ability to store information regarding the C2 server and downloads in the Registry key HKCU\Software\ApplicationContainer\Appsw64 .171516 |
S0180 | Volgmer | Volgmer stores an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security .2122 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0024 | Windows Registry | Windows Registry Key Creation |
DS0005 | WMI | WMI Creation |
References
-
Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023. ↩
-
Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023. ↩↩
-
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. ↩
-
Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. ↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. ↩
-
Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. ↩
-
Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. ↩
-
Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. ↩
-
McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. ↩
-
Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. ↩
-
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. ↩
-
Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. ↩
-
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. ↩
-
Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. ↩
-
Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. ↩
-
US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. ↩
-
US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. ↩
-
Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. ↩
-
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. ↩
-
ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. ↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩
-
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. ↩
-
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. ↩
-
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. ↩↩
-
Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩
-
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. ↩
-
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. ↩
-
Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. ↩
-
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. ↩
-
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. ↩
-
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. ↩
-
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. ↩
-
Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. ↩
-
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. ↩