Webinar | Team Burned Out on Phishing Analysis? Here's How to Help.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
July 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Fileless malware—malware running from memory or scripts (e.g., PowerShell, WScript, and Python) instead of executables—has become a popular attack vector for threat actors. In our 2024 Annual Threat Report, we discovered that 86.2% of detections associated with critical incidents in ReliaQuest customer environments from 2023 involved fileless malware. We observed the malware loader “SocGholish” particularly frequently in 2023. This loader is executed through a JavaScript payload that is typically delivered through drive-by downloads, where users are tricked into downloading fake updates. Many fileless malware threats also use living-off-the-land (LotL) techniques, which leverage trusted operating system utilities and binaries to run malicious code in the background, leaving little trace of an attack.
Fileless malware presents many problems for security teams, making it an attractive choice for threat actors:
Similarly, many sophisticated threat actors prefer to “live off the land” to reduce the risk of detection. In 2023, roughly a quarter of all critical incidents we observed in customer environments involved the use of LotL techniques. LotL is a popular attack vector for multiple reasons:
The growing prevalence of these attacks presents a significant challenge to organizations. These threats are stealthy and can remain undetected for long periods. Therefore, these techniques have been popular with sophisticated adversaries, such as nation-state–linked threat actors and advanced persistent threat (APT) groups. Typically, the more sophisticated a threat actor is, the more likely they are to attempt to live off the land and use fileless malware. For example, the China-based threat group “Volt Typhoon” reportedly leveraged LotL and hands-on-keyboard techniques to target US critical infrastructure organizations.
LotL binaries (LOLBins) are legitimate and trusted tools found in and signed by Windows operating systems. Threat actors often leverage these legitimate tools to perform malicious activities like executing malware while evading detection. In 2023, the most commonly exploited LOLBins we observed were rundll32, msiexec, and mshta, which are popular Windows utilities. These three LOLBins were involved in 92% of the we reported in 2023.
Figure 1: Percentage of the most-detected LOLBins in 2023 by ReliaQuest
These utilities are designed for legitimate purposes—rundll32 to run Dynamic Link Library (DLL) files, Msiexec to execute Windows Installer packages, and Mshta to execute Microsoft HTML Applications (HTAs)—making them ideal candidates for attackers to use for malicious script execution. For example, the malware loader Raspberry Robin utilized legitimate Windows utilities to launch rundll32 to execute malicious commands, which then started other Windows utilities such as odbcconf.exe, allowing the threat actor to continue to stay living off the land.
Below is a list of LOLBins we commonly observed in 2023, including their legitimate uses, how they are exploited, and mitigations for each.
In 2023, ReliaQuest addressed an incident where the SocGholish malware, delivered by a drive-by download from a compromised site, successfully executed on a host. The malware, known as “update.js,” is classified as fileless because it operates entirely in memory, using commands from a JavaScript file, unlike typical Windows executables that write to disk and can be detected by antivirus software. Upon execution, SocGholish checked if the host was domain joined; if so, it continued its execution; otherwise, it attempted to ingress a remote access tool.
This incident highlights SocGholish’s ability to evade standard detection methods. SocGholish is also capable of deploying additional malware, such as ransomware, which makes it a high threat.
Upon execution, the SocGholish file utilized default Windows utilities (LOLBins) to conduct several enumeration commands and then saved the output to a temporary file. This enumeration was then exfiltrated to the threat actor’s command-and-control (C2) server to provide details of the environment, including Active Directory information, account privileges, and security products. Below is a streamlined summary of the steps and commands used by the threat actor in this attack:
1. User and System Identification
2. Domain and Trust Analysis:
3. Credential and Group Membership Enumeration:
4. Service and Process Mapping:
5. Host, Hardware, and Software Inventory:
6. Security Software Detection:
Upon identifying successful execution, because SocGholish is commonly used for initial access, ReliaQuest instructed the customer to isolate the host to prevent hands-on-keyboard exploitation. The host was restored from a known-good backup, and the impacted user credentials were changed.
In addition to the steps above, organizations can take the steps below to protect themselves from similar attacks:
PowerShell
WScript
Visual Basic Script
We predict, with high confidence, that the use of fileless malware and LotL techniques will continue to be highly prevalent throughout 2024. These techniques are particularly popular with sophisticated threat actors—including nation-state–aligned threat groups—who focus on conducting stealthy operations, such as espionage. The difficulty of detecting these attacks means they pose a high threat to organizations. Organizations should prioritize the integration of behavioral analytics into their security infrastructure, which goes beyond signature-based detection and identifies unusual patterns of activity that could indicate fileless or LotL attacks. Implementing strict application allowlisting policies can also serve as a critical defense, ensuring that only approved software can execute.
To identify the use of fileless malware and LotL activity, ReliaQuest offers the detection rules for their customers. Implementing these rules will allow customers to identify tool abuse and unauthorized software that violates policy obligations. These rules can be calibrated to each organization’s environment to attain a higher level of fidelity and reduce false positives. In addition, we also provide containment and response plays for each detection rule. These automated plays can be executed by customers to mitigate threats if they are enabled. However, not all response plays are suitable for every customer, as the applicability depends on the specific technologies integrated with systems.
Building on the detection rules cited above, we offer the following general recommendations and best practices to establish a secure foundation against the LotL and fileless malware threats mentioned in this report.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.