In this lab, we investigate a sophisticated fileless malware attack that compromised a corporate network. Unlike traditional malware, fileless malware operates entirely in memory, leveraging legitimate system processes and trusted Windows binaries to execute malicious code while evading detection by conventional security tools. The stealthy nature of this attack presents a unique challenge, as it leaves minimal forensic evidence on the disk, making it difficult to trace and analyze using standard investigative techniques.
The primary artifact provided for this investigation is the NTUSER.DAT registry hive extracted from the affected machine. This hive contains user-specific registry data, which often holds critical information about persistence mechanisms and system modifications made by the malware. By analyzing this file, we aim to uncover how the malware achieved persistence, executed its payload, and concealed its operations within the system.
Throughout this walkthrough, we will employ a variety of forensic tools, including Registry Explorer for examining registry keys, CyberChef for decoding and deobfuscation, dnSpy for reverse-engineering .NET binaries, and scripting techniques to decrypt hidden payloads. By methodically dissecting each stage of the malware's execution, we will trace its path from initial compromise to payload deployment, ultimately identifying the malware family responsible for the attack. This lab will not only demonstrate how to uncover fileless malware but also provide valuable insights into the tactics, techniques, and procedures (TTPs) used by attackers to bypass traditional defenses.