{
	"id": "85241a08-6c2f-4f80-9cf3-d46a4349185e",
	"created_at": "2026-04-06T00:14:44.236072Z",
	"updated_at": "2026-04-10T03:20:35.81222Z",
	"deleted_at": null,
	"sha1_hash": "4103a87e38b4cbbf5486a813110c254409db816f",
	"title": "Dismantling a fileless campaign: Microsoft Defender ATP's Antivirus exposes Astaroth attack | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 633004,
	"plain_text": "Dismantling a fileless campaign: Microsoft Defender ATP's\r\nAntivirus exposes Astaroth attack | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2019-07-08 · Archived: 2026-04-05 15:13:50 UTC\r\nThe prevailing perception about fileless threats, among the security industry’s biggest areas of concern today, is\r\nthat security solutions are helpless against these supposedly invincible threats. Because fileless attacks run the\r\npayload directly in memory or leverage legitimate system tools to run malicious code without having to drop\r\nexecutable files on the disk, they present challenges to traditional file-based solutions.\r\nBut let’s set the record straight: being fileless doesn’t mean being invisible; it certainly doesn’t mean being\r\nundetectable. There’s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence\r\nthat advanced detection technologies in Microsoft Defender Advanced Threat Protection (Microsoft Defender\r\nATP) can detect and stop.\r\nTo help disambiguate the term fileless, we developed a comprehensive definition for fileless malware as reference\r\nfor understanding the wide range of fileless threats. We have also discussed at length the advanced capabilities in\r\nMicrosoft Defender ATP that counter fileless techniques.\r\nI recently unearthed a widespread fileless campaign called Astaroth that completely “lived off the land”: it only\r\nran system tools throughout a complex attack chain. The attack involved multiple steps that use various fileless\r\ntechniques and proved a great real-world benchmark for Microsoft Defender ATP’s capabilities against fileless\r\nthreats.\r\nIn this blog, I will share my analysis of a fileless attack chain that demonstrates:\r\nAttackers would go to great lengths to avoid detection\r\nAdvanced technologies in Microsoft Defender ATP’s Antivirus expose and defeat fileless attacks\r\nExposing a fileless info-stealing campaign with Microsoft Defender ATP’s\r\nAntivirus\r\nI was doing routine review of Windows Defender Antivirus telemetry when I noticed an anomaly from a detection\r\nalgorithm designed to catch a specific fileless technique. Telemetry showed a sharp increase in the use of the\r\nWindows Management Instrumentation Command-line (WMIC) tool to run a script (a technique that MITRE\r\nrefers to XSL Script Processing), indicating a fileless attack.\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 1 of 11\n\nFigure 1. Windows Defender Antivirus telemetry shows a sudden increase in suspicious activity\r\nAfter some hunting, I discovered the campaign that aimed to run the Astaroth backdoor directly in memory.\r\nAstaroth is a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes,\r\nand other data, which it exfiltrates and sends to a remote attacker. The attacker can then use stolen data to try\r\nmoving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal\r\nunderground.\r\nWhile the behavior may slightly vary in some instances, the attack generally followed these steps: A malicious\r\nlink in a spear-phishing email leads to an LNK file. When double-clicked, the LNK file causes the execution of\r\nthe WMIC tool with the “/Format” parameter, which allows the download and execution of a JavaScript code. The\r\nJavaScript code in turn downloads payloads by abusing the Bitsadmin tool.\r\nAll the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files\r\n(the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn\r\ndecrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 2 of 11\n\nFigure 2. Astaroth “living-off-the-land” attack chain showing multiple legitimate tools abused\r\nIt’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This\r\ntechnique is called living off the land: using legitimate tools that are already present on the target system to\r\nmasquerade as regular activity.\r\nThe attack chain above shows only the Initial Access and Execution stages. In these stages, the attackers used\r\nfileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information\r\nstealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these\r\nstages is critical.\r\nDespite its use of “invisible” techniques, the attack chain runs under the scrutiny of Microsoft Defender ATP.\r\nMultiple advanced technologies at the core of Windows Defender Antivirus expose these techniques to spot and\r\nstop a wide range of attacks.\r\nThese protection technologies stop threats at first sight, use the power of the cloud, and leverage Microsoft’s\r\nindustry-leading optics to deliver effective protection. This defense-in-depth is observed in the way these\r\ntechnologies uncovered and blocked the attack at multiple points in Astaroth’s complex attack chain.\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 3 of 11\n\nFigure 3. Microsoft Defender ATP’s Antivirus solutions for fileless techniques used by Astaroth\r\nFor traditional, file-centric antivirus solutions, the only window of opportunity to detect this attack may be when\r\nthe two DLLs are decoded after being downloaded—after all, every executable used in the attack is non-malicious. If this were the case, this attack would pose a serious problem: since the DLLs use code obfuscation\r\nand are likely to change very rapidly between campaigns, focusing on these DLLs would be a vicious trap.\r\nHowever, as mentioned, Microsoft Defender ATP’s Antivirus catches fileless techniques. Let’s break down the\r\nattack steps, enumerate the techniques used using MITRE technique ID as reference, and map the relevant\r\nMicrosoft Defender ATP protection.\r\nStep 1: Arrival\r\nThe victim receives an email with a malicious URL:\r\nThe URL uses misleading names like certidao.htm (Portuguese for “certificate”), abrir_documento.htm (“open\r\ndocument”), pedido.htm (“order”), etc.\r\nWhen clicked, the malicious link redirects the victim to the ZIP archive certidao.htm.zip, which contains a\r\nsimilarly misleading named LNK file certidao.htm.lnk. When clicked, the LNK file runs an obfuscated BAT\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 4 of 11\n\ncommand-line.\r\nMITRE techniques observed:\r\nT1192 – Spearphishing Link\r\nT1023 – Shortcut Modification\r\nMicrosoft Defender ATP’s Antivirus protection:\r\nCommand-line scanning: Trojan:Win32/BadEcho.A\r\nHeuristics engine: Trojan:Win32/Linkommer.A\r\nWindows Defender SmartScreen\r\nStep 2: WMIC abuse, part 1\r\nThe BAT command runs the system tool WMIC.exe:\r\nThe use of the parameter /format causes WMIC to download the file v.txt, which is an XSL file hosted on a\r\nlegitimate-looking domain. The XSL file hosts an obfuscated JavaScript that is automatically run by WMIC. This\r\nJavaScript code simply runs WMIC again.\r\nMITRE techniques observed:\r\nT1047 – Windows Management Instrumentation\r\nT1220 – XSL Script Processing\r\nT1064 – Scripting\r\nT1027 – Obfuscated Files Or Information\r\nMicrosoft Defender ATP’s Antivirus protection:\r\nBehavior monitoring engine: Behavior:Win32/WmiFormatXslScripting\r\nAMSI integration engine: Trojan:JS/CovertXslDownload.\r\nStep 3: WMIC abuse, part 2\r\nWMIC is run in a fashion similar to the previous step:\r\nWMIC downloads vv.txt, another XSL file containing an obfuscated JavaScript code, which uses the Bitsadmin,\r\nCertutil, and Regsvr32 tools for the next steps.\r\nMITRE techniques observed:\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 5 of 11\n\nT1047 – Windows Management Instrumentation\r\nT1220 – XSL Script Processing\r\nT1064 – Scripting\r\nT1027 – Obfuscated Files Or Information\r\nMicrosoft Defender ATP’s Antivirus protection:\r\nBehavior monitoring engine: Behavior:Win32/WmiFormatXslScripting\r\nBehavior monitoring engine: Behavior:Win32/WmicLoadDll.A\r\nAMSI integration engine: Trojan:JS/CovertBitsDownload.C\r\nStep 4: Bitsadmin abuse\r\nMultiple instances of Bitsadmin are run to download additional payloads:\r\nThe payloads are Base64-encoded and have file names like: falxconxrenwb.~, falxconxrenw64.~,\r\nfalxconxrenwxa.~, falxconxrenwxb.~, falxconxrenw98.~, falxconxrenwgx.gif, falxfonxrenwg.gif.\r\nMITRE techniques observed:\r\nT1197 – BITS Jobs\r\nT1105 – Remote File Copy\r\nMicrosoft Defender ATP’s Antivirus protection:\r\nBehavior monitoring engine: Behavior:Win32/WmicBits.A\r\nStep 5: Certutil abuse\r\nThe Certutil system tool is used to decode the downloaded payloads:\r\nOnly a couple of files are decoded to a DLL; most are still encrypted/obfuscated.\r\nMITRE technique observed:\r\nT1140 – Deobfuscate/Decode Files Or Information\r\nMicrosoft Defender ATP’s Antivirus protection:\r\nBehavior monitoring engine: Behavior:Win32/WmiCertutil.A\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 6 of 11\n\nStep 6: Regsvr32 abuse\r\nOne of the decoded payload files (a DLL) is run within the contexct of the Regsvr32 system tool:\r\nThe file falxconxrenw64.~ is a proxy: it loads and runs a second DLL, falxconxrenw98.~, and passes it to a third\r\nDLL that is obtained by reading files falxconxrenwxa.~ and falxconxrenwxb.~. The DLL falxconxrenw98.~ then\r\nreflectively loads the third DLL.\r\nMITRE techniques observed:\r\nT1117 – Regsvr32\r\nT1129 – Execution Through Module Load\r\nT1140 – Deobfuscate/Decode Files Or Information\r\nMicrosoft Defender ATP’s Antivirus protection:\r\n Behavior monitoring engine: Behavior:Win32/UserinitInject.B\r\nAttack surface reduction: An attack surface reduction rule detects the loading of a DLL that does not\r\nmeet the age and prevalence criteria (i.e., a new unknown DLL)\r\nStep 7: Userinit abuse\r\nThe newly loaded DLL reads and decrypts the file falxconxrenwgx.gif into a DLL. It runs the system tool\r\nuserinit.exe into which it injects the decrypted DLL. The file falxconxrenwgx.gif is again a proxy that reads,\r\ndecrypts, and reflectively loads the DLL falxconxrenwg.gif. This last DLL is the malicious info stealer known as\r\nAstaroth.\r\nMITRE techniques observed:\r\nT1117 – Regsvr32\r\nT1129 – Execution Through Module Load\r\nT1140 – Deobfuscate/Decode Files Or Information\r\nMicrosoft Defender ATP’s Antivirus protection:\r\nBehavior monitoring engine: Behavior:Win32/Astaroth.A\r\nAttack surface reduction: An attack surface reduction rule detects the loading of a DLL that does not\r\nmeet the age and prevalence criteria (i.e., a new unknown DLL)\r\nComprehensive protection against fileless attacks with Microsoft Threat Protection\r\nThe strength of Microsoft Defender ATP’s Antivirus engines in exposing fileless techniques add to the capabilities\r\nof the unified endpoint protection platform. Activities related to fileless techniques are reported in Microsoft\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 7 of 11\n\nDefender Security Center as alerts, so security operations teams can further investigate and respond to attacks\r\nusing endpoint detection and response, advanced hunting, and other capabilities in Microsoft Defender ATP.\r\nFigure 4. Details of Windows Defender Antivirus detections of fileless techniques and malware reported in\r\nMicrosoft Defender Security Center; details also indicate whether threat is remediated, as was the case with the\r\nAstaroth attack\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 8 of 11\n\nThe rest of Microsoft Defender ATP’s capabilities beyond Antivirus enable security operations teams to detect and\r\nremediate fileless threats and other attacks. Notably, Microsoft Defender ATP endpoint detection and response\r\n(EDR) has strong and durable detections for fileless and living-off-the-land techniques across the entire attack\r\nchain.\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 9 of 11\n\nFigure 5. Alerts in Microsoft Defender Security Center showing detection of fileless techniques by antivirus and\r\nEDR capabilities\r\nWe also published a threat analytics report on living-off-the-land binaries to help security operations assess\r\norganizational security posture and resilience against these threats. New Microsoft Defender ATP services like\r\nthreat and vulnerability management and Microsoft Threat Experts (managed threat hunting), further assist\r\norganizations in defending against fileless threats.\r\nThrough signal-sharing and orchestration of threat remediation across Microsoft’s security technologies, these\r\nprotections are further amplified in Microsoft Threat Protection, Microsoft’s comprehensive security solution for\r\nthe modern workplace. For this Astaroth campaign, Office 365 Advanced Threat Protection (Office 365 ATP)\r\ndetects the emails with malicious links that start the infection chain.\r\nMicrosoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.\r\nConclusion: Fileless threats are not invisible\r\nTo come back to one of my original points in this blog post, being fileless doesn’t mean being invisible; it\r\ncertainly doesn’t mean being undetectable.\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 10 of 11\n\nAn analogy: Pretend you are transported to the world of H.G. Wells’ The Invisible Man and can render yourself\r\ninvisible. You think, great, you can walk straight into a bank and steal money. However, you soon realize that\r\nthings are not as simple as they sound. When you walk out in the open and it’s cold, your breath’s condensation\r\ngives away your position; depending on the type of the ground, you can leave visible footmarks; if it’s raining,\r\nwater splashing on you creates a visible outline. If you manage to get inside the bank, you still make noise that\r\nsecurity guards can hear. Motion detection sensors can feel your presence, and infrared cameras can still see your\r\nbody heat. Even if you can open a safe or a vault, these storage devices may trigger an alert, or someone may\r\nsimply notice the safe opening. Not to mention that if you somehow manage to grab the money and put them in a\r\nbag, people are likely to notice a bag that’s walking itself out of the bank.\r\nBeing invisible may help you for some things, but you should not be under the illusion that you are invincible. The\r\nsame applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility\r\nof security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they\r\ndraw immediate attention to the malware, in the same way that a bag of money moving by itself would.\r\nUsing invisible techniques and being actually invisible are two different things. Using advanced technologies,\r\nMicrosoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage.\r\nAndrea Lelli\r\nMicrosoft Defender ATP Research\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exp\r\noses-astaroth-attack/\r\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/\r\nPage 11 of 11\n\nhttps://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/      \nDefender Security Center as alerts, so security operations teams can further investigate and respond to attacks\nusing endpoint detection and response, advanced hunting, and other capabilities in Microsoft Defender ATP.\nFigure 4. Details of Windows Defender Antivirus detections of fileless techniques and malware reported in\nMicrosoft Defender Security Center; details also indicate whether threat is remediated, as was the case with the\nAstaroth attack      \n   Page 8 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/"
	],
	"report_names": [
		"dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434484,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4103a87e38b4cbbf5486a813110c254409db816f.pdf",
		"text": "https://archive.orkl.eu/4103a87e38b4cbbf5486a813110c254409db816f.txt",
		"img": "https://archive.orkl.eu/4103a87e38b4cbbf5486a813110c254409db816f.jpg"
	}
}