TIPS & TRICKS | MALWARE
AppData for Security Operations
A brief guide on a common home for malware
When malware infects a Windows machine, its first stop is usually the AppData folder. This post will provide a brief history and explanation of this folder, how it’s used by malware, and a few tips for Security Operations teams to detect and handle malware that utilizes the AppData folder.
We’re looking for SOC teams to help test our Microsoft Sentinel solutions for free! If interested, please fill out the form here:
What is AppData?
In Windows, the AppData folder is a system folder that holds important data for applications. This data includes user settings, configurations, and user-specific information that apps need to run properly. The AppData folder is normally hidden and can be found in the user’s profile folder (C:\Users\<Username>\AppData).
Folder structure
There are three main subfolders within AppData:
- LocalLow: The LocalLow directory has a low integrity level, meaning it is meant to store less trusted data. Apps also running with a low integrity can only write to this directory.
- Local: This directory is meant for files that can’t leave the user profile or are too large to sync across the domain. Files that point to a specific location on a specific machine are stored here.
- Roaming: The roaming folder is synced across the domain in domain-joined devices. You’ll find things like bookmarks and app settings here.
History of AppData
Windows 95/98/Me/2000/XP
During the early versions of Windows, application data was stored in the “Application Data” folder within each user profile (Reference). However, there was inconsistency among applications during this time, as they would often save user-specific data in different locations.
Windows Vista onward
The current structure of AppData was introduced when Microsoft released Windows Vista. They implemented a more efficient system for managing user-specific data by creating the AppData folder. This allowed for consistent storing of user-specific data, especially useful in enterprise environments where users may log into multiple computers within a network domain. Along with this, Microsoft also introduced the %APPDATA% environment string (Reference).
How malware uses AppData
Storing malicious payloads
Due to its relaxed permissions, Malware will often use the AppData folder to store its payloads. Files can be written here as the user, and when executed, the programs will not trigger a User Account Control (UAC) prompt. The example below shows two folders and two malicious executable files written to the AppData/Roaming folder by AveMaria malware:
Fileless malware may also store temporary or log files in the AppData folder.
Evading detection
Malware can easily blend in among AppData’s numerous legitimate files and folders. This folder is also hidden from users by default, so accidental discovery is low. Malware authors will also name their files similar to legitimate ones, making detection more difficult.
User profiling and data harvesting
Since the AppData folder often contains sensitive user information, malware will scrape data from this folder. For example, web browsers like Google Chrome to user profiles in AppData (C:\users\<username>\AppData\Local\Google\Chrome\User Data). The screenshot below shows the static analysis results of ReversingLabs’ A1000 platform against a malware sample that attempts to steal credentials from Google Chrome:
Detection tips for SecOps teams
Understanding what’s normal behavior for your environment is key to identifying a malware infection. This can be a daunting task, so here are a few detection use cases from actual malware samples that can help identify things to look for.
Suspicious scheduled task
Check for malware persistence mechanisms whenever a new scheduled task is created.
KQL:
- FormBook malware example: https://github.com/reversinglabs/reversinglabs-siem-rules/blob/master/Malware/FormBook/20230814/KQL/NewProcess-ScheduledTaskTempFile.kql
- SmokeLoader malware example: https://github.com/reversinglabs/reversinglabs-siem-rules/blob/master/Malware/SmokeLoader/20230724/KQL/smokeloader-UnusualScheduledTask.kql
Suspicious .NET CLR logs written to AppData
Malware written in .NET may sometimes write a log file to the Common Language Runtime (CLR) Usage Logs folder found in AppData (C:\Users\<user>\AppData\Local\Microsoft\CLR_<version>_(arch)\UsageLogs).
KQL:
- Nanocore malware example — https://github.com/reversinglabs/reversinglabs-siem-rules/blob/master/Malware/Nanocore/20230904/KQL/nanocore-20230904-dropped-file.kql
Security tool bypass for programs in AppData
After malware downloads modules into AppData, it may attempt to add exceptions to security tools such as the Windows Firewall or Microsoft Defender.
KQL:
- njRAT adding an exception to the Windows Firewall — https://github.com/reversinglabs/reversinglabs-siem-rules/blob/master/Malware/njRAT/20230717/KQL/njRAT-20230717-execs.kql
Checkout my previous blog post on SOAR playbook ideas that can help identify malware:
Conclusion
This post went over what the AppData folder in Microsoft Windows is, the history of the folder, how malware typically abuses this folder, and some behavioral detection methods to identify malware.
Want a better way to check if files in AppData are malicious? Check out our File Enrichment offering for Microsoft Sentinel.
