Where Does Malware Go On Your Computer?

where does malware go on a computer where does malware get put like where does it live or sit in the file system and I know it sounds weird to say that but if you are a penetration tester or

red teamer or an ethical hacker genuinely if you're trying to put an implant or a back door malware or beacon on the computer where do you put it where does it go here's the thing I am

inside of a Windows 11 virtual machine and I have Windows Defender the built-in antivirus disabled and turned off it's ruined it's nuked it is out of the operating system but I do have an EDR or

an endpoint detection response program set up in stage for me to play with it like Aurora Aurora light and we've showcased that in another video if you're interested but if I were to go and open up process hacker to go explore

and see what programs software and applications are running on my computer I can see o explorer.exe like your Windows desktop right if I take a look at the properties here I can see that

that is running out of its file system location and placement C Windows system 32 now that is the normal natural place for natural built-in Windows core components right like if I were to

Simply make a copy and paste o the cmd.exe program to my desktop I could

cmd.exe program to my desktop I could close out the one that is actively running and we could go open up this one and of course process hacker will tell us look that's actually running now out

of your desktop or some other file system location in placement on the computer now this is where we could get into some of the anomalies right some of the weird stuff like explore .exe should

only run out of system 32 cmd.exe your

notepad or calculator or whatever any program should probably not run in any location outside of where it's naturally found but if we as an ethical hacker red team or penetration tester had a

completely alien file malware are implants in back door where should we put it then now obviously in the security game of cat and mouse between blue teamers cyber Defenders and red

teamers ethical hackers maare developers and just genu and threat actors and cyber criminals right there is a lot of information out there on where does malware go where could it be put on the

file system for its own execution and then what should Defenders actually be monitoring looking for and hunting for things running out of a strange location this does Drive the point home though

you probably don't want to put oh a backd door malware implant in some location where it just doesn't make any sense it's stupid like you shouldn't put it in your music folder or your pictures

directory right you could could put it in the public users directory but that's probably going to be monitored if anything that EDR solution Aurora or antivirus should catch on to stuff being

staged out of those folders and I thought hey we could put this to the test we could try it out we could see it in action put together a little playground with a freely accessible and easily available EDR like Aurora and I

thought it'd be cool to see will it get detected where could we put different legitimate malware samples like MiMi cats and see what it might do and by the way everything that I'm scrolling through here what I'm showcasing is

actually an excerpt from malev Academy super cool thing and we'll dive into it more but before we do please let me tell you about the sponsor of today's video and an awesome event that they have

coming up sock analyst Appreciation Day Security operation Center analysts are too often overworked and underappreciated they're doing the most impactful cyber security work but

they're never in the Limelight so to help celebrate those sock analyst rockstones dvo is hosting the fourth annual sock analyst appreciation it's all to pay some long du kudos to our

world sock analy and to encourage organizations to improve their job satisfaction and mental well-being the online event is completely free and open

to anyone and everyone live on October 16th it is packed full with career focused sessions preventing burnout secrets to success day in the life

details for analysts and researchers and so much more all even be speaking on the rapid response efforts during the connectwise screen connect exploitation I'd love to see you there if you are a

security Operation Center analyst or you're fascinated by the work and you want to become one you should absolutely tune in to the sock analyst appreciation it's completely free and it's a day

dedicated to celebrate you and your great efforts sign up for the sock analyst Appreciation Day on October 16th with my link below in the video

description jh. liveo

description jh. liveo huge thanks to dvo for sponsoring this video so there are different detection rules especially written in Sigma which

Aurora is built and based off of right and that might actually trigger and find hey some suspicious execution from malware running out of uncommon directories or different locations and

those are some of the exes we could see in perflogs or that users's public directory etc etc but let's do the demo here so I'm going to get back into my windows 11 virtual machine I'll fire up

the command prompt and I'm actually going to move into the desktop where I have Aurora already staged and ready here for me I could just simply run my Aurora agent I'll use 64-bit and I'll

add the TCT Tac dashboard option so we can explore the alerts and actually get notifications when things fire or trigger let me spin it up we'll go ahead and hit yes and Aurora will start

cruising okay now that Aurora is up and running I actually want to get back to my desktop and I'll paste in real malware right hey here's our mimic cat.exe now you'll already see some

cat.exe now you'll already see some alerts coming through from Aurora that was just a simple indicator of compromise right MIM cat.exe probably

not something you should have on your computer now if I double click on this to run it again Defender is off so AV won't fire here but Aurora and our EDR will kick in sees another indicator of

compromise match for that file name oh and here's one Sigma hack tool Mimi cats execution now that's a bit interesting right uh nothing suspicious running it from my desktop no alerts that hey

suspicious program execution location but it just being MIM cats is obviously a little bit sus hey indicator a compromise still firing off let me see if I can just simply rename this can I

uh show more option and yeah let's rename this to Kiwi simulator clearly not Mimi cats but the greatest game AAA

title kiwi simulator double clicking on this no alerts the indicator are compromised because it has a different file name now and just a query pattern matching of the rule did not fire and

MIM cats isn't going to go fire as well but running from my desktop is just fine let me try to copy this I'll cut it and I'll go move to another directory where I could go put this here I'm in the

users directory and I could go navigate to that public users and let me just paste in our kiys simulator. exe double

clicking on this mimic cats is now running but we get hey execution from suspicious folder nothing specific to the mimic cat's file name but at least a location was triggering this if I

actually go open up the Aurora dashboard hey Local Host 17494 that will bring us to all of the rules and alerts that had fired here this one's interesting suspicious

contents in the user's public folder stuff running where it normally shouldn't but the rule I'm more interested in is how it detects a suspicious execution from an uncommon folder the one specifically dedicated to

execution from a suspicious location where the malware got put is a little bit sketchy and worth our investigation now if I drill down into this rule we could actually go take a look at how

this is put together it has the rule path and we could go see what is the logic to detect this that's one of the coolest Parts I think of hey using the sigma based EDR but if I go into the

signatures go into the sigma rules public windows and we want just a uh process creation right going to look for that suspicious execution from a

non-standard location all right here it is susp execution path. yml so we could open this up in a text and let's scroll through this this is the sigma rule the

detection logic trying to find whether malware executed from a uncommon and not regular location this is the same sort of stuff that we got to see in that malive Academy writeup and now we can

figure out the logic it's checking if the image the executable the location path contains any of these different locations like running from the recycle bin little bit sketch different log

locations of course those different users and just strange stuff in Windows hey there's my favorite one C Windows tasks oh man that's a bummer I always put stuff in C Windows tasks that's

where I normally put some sketchy stuff putting kiwi simulator in there of course will fire oh and by the way Maldo Academy actually touches on this in their conclusion section they mention simply dropping a binary into any

writable directory like the public folder or C Windows tasks is usually done in ctfs okay I'm I'm guilty there and other unrealistic environments which

unfortunately teach folks bad opset techniques for stealth evasion you know doing the right stuff with professional red team ethical hacking pentesting malware so I would get caught dropping

into C Windows tasks but we could dig into more of the logic at least in this example for the sigma rule where could we hide under the radar the malv academy module even showcases this little chart

with some of the statistics and percentage of how often malare gets dropped into some different locations app data and the temporary directory are the most common stuff right and it's

interesting to me because they discuss that in the commonly abused directories but digging into the sigma logic I don't see that noted for he every user's Local

app data or app data roaming or their own temporary location like if I were to go ahead and go put our cheesy kiwi simulator I'll copy that location and

then go to my own temporary directory note that that's in my user location C users John H appd local temp go ahead and paste our QE simulator right into

app data roaming and it's getting the indicator of compromise on this one now but um it doesn't whine about execution from that folder now at the very least we can make changes to this rule like we

can manipulate this Yara and sigma detection if we wanted to just add in another spot to look for like our users but using a wild card perhaps to get

into app data roaming or appdata temp let me go use the path from temp that's app data/ lo/ here I can have have that as a location but I don't see this

working and I don't know this could be me I I could be naive and ignorant but I'm curious for some of the smarter Sigma folks uh is this wild card going to work as it should inside of an image

filtered uncontained I genuinely don't know and I'm willing to look like an idiot here because if I were to stop and start Aurora let me get back to the command line and I'll close out Aurora running and then I'll just start it one

more time here restart so it will reload all those rules we could have just entered like reload in the command line but hey I'm trusting this thing anyway now theora is back in Action up and running would I be able to go try to

fire out of the temporary directory my qwi simulator. exe let me close out some

qwi simulator. exe let me close out some of these uh other windows and notifications so it's not uh more annoying and a little bit overwhelming as it already is so I think we're clear so the question is will this rule trying

to look for the temp environment variable locations or anything specific to the current user will that track the execution from a suspicious or uncommon location with my mimik cats kwi

simulator. exe it still doesn't fire and

simulator. exe it still doesn't fire and that again maybe I getting that syntax wrong or I don't know Sigma well enough I'm I'm okay to be the idiot here but I did think that was peculiar in those two

commonly abused locations were not included in the sigma Rule now of course all those other locations are good things to track good things to know of and should definitely be something that your EDR or your antivirus would flag on

but I was a little bit surprised and just caught off guard when hey the rule set that came with Aurora light and the EDR did not have a l of the detection for suspicious execution out of like the

app data variable or the temporary directory for a specific user that was just peculiar to me if anything good education and things to know as to where

malware might get put and where malware goes on a computer file system