SlideShare une entreprise Scribd logo

Fileless Malware Infections

Ramon
Ramon

Malware tricks for Pentesters Bsides Lisbon 2017

Logiciels
1  sur  40
Télécharger pour lire hors ligne
FileLess Malware Infections Malware tricks for Pentesters Ramon Pinuaga Bsides Lisbon 2017
2 1) Presentation 2) Real world examples 3) Process • Infection • Persistence 4) Conclusions Index
PRESENTATION
4 • Pentester for many, many years. • Current position: Cybersecurity Audit Manager at PROSEGUR Spain. • I prefer the offensive side of security. Who are you?
5 • Malicious code that doesn't need to create or drop regular files on the system. • Move away from the traditional monolithic malware or pentesting framework. • For persistence we usually need to leave at least something on the system but we can hide it and make it very small. What is FileLess Malware?
7 • We have 2 main ways to achieve an infection without files: • Not using malware (or code) at all. E.G. planting a configuration only backdoor on a system. That way we don’t control the system all the time but we can access it later. • Using code that never touches disk. In his clear form. For persistence we always need a way to keep at least the first stage of the code on the system. FileLess or MalwareLess?
8 • Evading Antivirus detection: No file, No scan, No VirusTotal upload.  • Leaving a smaller forensic trail: Less artifacts. • Difficult environments (hard to upload things). • Helps in bypassing Application Whitelisting (SRP, Applocker, etc.) Why FileLess in pentesting?
10 • Long-term persistence. • Kernel-level access. • High level hiding. • Quickness and simplicity: Only userland, No rootkits, No NSA like implants. Pentest vs APT
DEMO: RDP + Sethc • Enable remote desktop • Hijack sethc.exe • Change RDP port • Open windows firewall
13 • Keeping all in memory. (Problem: no persistence) • Storing the code in non-file or non-regular storage (classics): • Outside the filesystem: UEFI, HDD Firmware, Hidden disk areas, $EA, etc. (We are not going that far, remember; only userland) • Network / External systems. • Alternate Data Streams (ADS). • Registry. How to keep code without files?
14 • WMI (subscriptions). • Windows events (.evt). • Inside Documents (.doc, .xls, .pdf). • File/Directory names (0-day). • Environment variables (more 0-day). Novel non-regular storage
DEMO: Code in filenames • Stage 1: Run key • Stage 2: Environment • Stage 3: Dir names
17 • Remote injection in memory -> Remote call or exploit. • Load of remote binaries (EXEs, DLLs) -> Via SMB, WebDAV, etc. • Scripting languages -> Loaded remotely or from the command line. • PowerShell (Powershell.exe) • Javascript/Vbscript (Cscript.exe, Wscript.exe, Mshta.exe, Rundll32.exe, Regsvr32.exe). • .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe). How to execute code without files?
18 • Tools already installed on the system (no new files). • Tools that allow receiving external input (via command line or via the network). • Bonus: Tools signed by Microsoft. Our FileLess pentest framework
REAL WORLD EXAMPLES
20 • Worms (memory only): • Slammer. • Poweliks. • WMIGhost. • Empire. • Duqu 2.0 (Kaspersky). Real world examples
21 • Worm that infected thousands of computers and impacted general Internet traffic in some areas. • The worm exploited a buffer overflow vulnerability in Microsoft SQL Server resolution service (1434/UDP). • Only 376 bytes and fitted into a single UDP packet. Slammer (2003)
22 • Infection via Word macro (No FileLess). • Persistence via Autostart registry key (HKLMSoftwareMicrosoftWindowsCurrentVersion Run). • Minimal first stage: Uses clever rundll32 trick to run Javascript code. • Next stages also stored in the registry (encoded). Runs PowerShell code. • PowerShell injects a DLL in another process memory, without touching disk. Poweliks (2014)
23 Poweliks – Rundll32 trick
24 • Infection via Word macro. • Dropper and UAC bypass binaries touch disk (not fully FileLess). • Then it register the permanent and necessary WMI classes: event definition, event filter and event consumer. • It uses Javascript for payload code in the event consumer active script. WMIghost (2014)
25 • PowerShell based RAT. • It tries to be as FileLess as possible. • Mostly working from memory only. • Various options for persistent storage: Registry, ADS, Eventlog and of course WMI subscriptions. Empire (2015)
26 • Unknown infection vector. • Only a few selected hosts were used for on-disk persistence. • These hosts injected the malware remotely into other systems memory. • For this task the malware gained domain administrator privileges and then it deployed MSI packages (via a new service or a scheduled task). Duqu 2.0 (2015)
28 • First stage: Minimal. Usually a small vbs or js (not directly PowerShell). • Second Stage: Main script based on PowerShell. More complex and powerful logic that injects a binary into another process. • Third stage: Binary. Usually a PE DLL payload. More similar to traditional malware, but never touches disk. Common FileLess behavior
PROCESS
30 • An ideal FileLess pentest operation should cover the following phases: 1. FileLess Infection. 2. Installation of FileLess Backdoors. 3. Gain FileLess Persistence. Operation Process
31 • Infection without sending any files. • Not common. Even known FileLess APT operations use some kind of files in this stage. • Preferably, we need to deliver the exploit before the application layer. • Inside a stream. • At the lower network layers (e.g. SMB or SSL exploits). • Open network services (e.g. Eternalblue). FileLess Infection
32 • Configuration only backdoors (no code). • Some popular: • Create user + Remote exec (Psexec/Sc, WMI, SchTasks, WinRM, PSRemoting). • Binary Image Hijack + Remote Desktop. • Silver/Golden tickets. • Proxy + Decrease security. FileLess Backdoors
34 • First stage: Registry Autostart entries. • Run entries. • Scheduled tasks. • Image hijacks. • WMI. • Services (not very elegant). • Usually too noisy! For a human analyst but harder to detect with automated tools because we are not using any files. FileLess persistence
CONCLUSIONS
36 • Full pentest operations are possible without using any files (or almost). • We need some “resident” artifacts on the system, but these can be very small and can be easily hidden. Conclusions
37 • Questions? Comments? • https://twitter.com/rpinuaga Thanks
38 • A lot of ideas taken from: • Casey Smith: https://twitter.com/subtee • Didier Stevens: https://twitter.com/DidierStevens • Alex Abramov: https://twitter.com/codereversing • Rob Fuller: https://twitter.com/mubix • Cneelis: https://twitter.com/Cneelis • Matt Nelson: https://twitter.com/enigma0x3 • Matt Graeber: https://twitter.com/mattifestation • James Foreshaw - https://twitter.com/tiraniddo Previous research
www.prosegur.com
DEMO: Proxy + Authenticode • Convince the user to execute a .REG file • Configure Proxy • Disable Authenticode validation • Wait for EXE download

Recommandé

Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]sumit saurav
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
System hacking
System hackingSystem hacking
System hackingCAS
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 

Recommandé

Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]sumit saurav
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
System hacking
System hackingSystem hacking
System hackingCAS
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Institute of Information Security (IIS)
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
DDoS.pptx
DDoS.pptxDDoS.pptx
DDoS.pptxPraveenKumarPatel9
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptxANIKETKUMARSHARMA3
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Haking PPT
Haking PPTHaking PPT
Haking PPTSushil Ranjan
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptxMuhammadRehan856177
 

Contenu connexe

Tendances

Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptxANIKETKUMARSHARMA3
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 

Tendances (20)

Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Ransomware
RansomwareRansomware
Ransomware
 
DDoS.pptx
DDoS.pptxDDoS.pptx
DDoS.pptx
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Password Attack
Password Attack Password Attack
Password Attack
 
Haking PPT
Haking PPTHaking PPT
Haking PPT
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 

Similaire à Fileless Malware Infections

unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 

Similaire à Fileless Malware Infections (20)

unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Dll injection
Dll injectionDll injection
Dll injection
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 

Dernier

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Dernier (20)

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

Fileless Malware Infections

  • 1. FileLess Malware Infections Malware tricks for Pentesters Ramon Pinuaga Bsides Lisbon 2017
  • 2. 2 1) Presentation 2) Real world examples 3) Process • Infection • Persistence 4) Conclusions Index
  • 4. 4 • Pentester for many, many years. • Current position: Cybersecurity Audit Manager at PROSEGUR Spain. • I prefer the offensive side of security. Who are you?
  • 5. 5 • Malicious code that doesn't need to create or drop regular files on the system. • Move away from the traditional monolithic malware or pentesting framework. • For persistence we usually need to leave at least something on the system but we can hide it and make it very small. What is FileLess Malware?
  • 6.
  • 7. 7 • We have 2 main ways to achieve an infection without files: • Not using malware (or code) at all. E.G. planting a configuration only backdoor on a system. That way we don’t control the system all the time but we can access it later. • Using code that never touches disk. In his clear form. For persistence we always need a way to keep at least the first stage of the code on the system. FileLess or MalwareLess?
  • 8. 8 • Evading Antivirus detection: No file, No scan, No VirusTotal upload.  • Leaving a smaller forensic trail: Less artifacts. • Difficult environments (hard to upload things). • Helps in bypassing Application Whitelisting (SRP, Applocker, etc.) Why FileLess in pentesting?
  • 9.
  • 10. 10 • Long-term persistence. • Kernel-level access. • High level hiding. • Quickness and simplicity: Only userland, No rootkits, No NSA like implants. Pentest vs APT
  • 11. DEMO: RDP + Sethc • Enable remote desktop • Hijack sethc.exe • Change RDP port • Open windows firewall
  • 12.
  • 13. 13 • Keeping all in memory. (Problem: no persistence) • Storing the code in non-file or non-regular storage (classics): • Outside the filesystem: UEFI, HDD Firmware, Hidden disk areas, $EA, etc. (We are not going that far, remember; only userland) • Network / External systems. • Alternate Data Streams (ADS). • Registry. How to keep code without files?
  • 14. 14 • WMI (subscriptions). • Windows events (.evt). • Inside Documents (.doc, .xls, .pdf). • File/Directory names (0-day). • Environment variables (more 0-day). Novel non-regular storage
  • 15. DEMO: Code in filenames • Stage 1: Run key • Stage 2: Environment • Stage 3: Dir names
  • 16.
  • 17. 17 • Remote injection in memory -> Remote call or exploit. • Load of remote binaries (EXEs, DLLs) -> Via SMB, WebDAV, etc. • Scripting languages -> Loaded remotely or from the command line. • PowerShell (Powershell.exe) • Javascript/Vbscript (Cscript.exe, Wscript.exe, Mshta.exe, Rundll32.exe, Regsvr32.exe). • .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe). How to execute code without files?
  • 18. 18 • Tools already installed on the system (no new files). • Tools that allow receiving external input (via command line or via the network). • Bonus: Tools signed by Microsoft. Our FileLess pentest framework
  • 20. 20 • Worms (memory only): • Slammer. • Poweliks. • WMIGhost. • Empire. • Duqu 2.0 (Kaspersky). Real world examples
  • 21. 21 • Worm that infected thousands of computers and impacted general Internet traffic in some areas. • The worm exploited a buffer overflow vulnerability in Microsoft SQL Server resolution service (1434/UDP). • Only 376 bytes and fitted into a single UDP packet. Slammer (2003)
  • 22. 22 • Infection via Word macro (No FileLess). • Persistence via Autostart registry key (HKLMSoftwareMicrosoftWindowsCurrentVersion Run). • Minimal first stage: Uses clever rundll32 trick to run Javascript code. • Next stages also stored in the registry (encoded). Runs PowerShell code. • PowerShell injects a DLL in another process memory, without touching disk. Poweliks (2014)
  • 24. 24 • Infection via Word macro. • Dropper and UAC bypass binaries touch disk (not fully FileLess). • Then it register the permanent and necessary WMI classes: event definition, event filter and event consumer. • It uses Javascript for payload code in the event consumer active script. WMIghost (2014)
  • 25. 25 • PowerShell based RAT. • It tries to be as FileLess as possible. • Mostly working from memory only. • Various options for persistent storage: Registry, ADS, Eventlog and of course WMI subscriptions. Empire (2015)
  • 26. 26 • Unknown infection vector. • Only a few selected hosts were used for on-disk persistence. • These hosts injected the malware remotely into other systems memory. • For this task the malware gained domain administrator privileges and then it deployed MSI packages (via a new service or a scheduled task). Duqu 2.0 (2015)
  • 27.
  • 28. 28 • First stage: Minimal. Usually a small vbs or js (not directly PowerShell). • Second Stage: Main script based on PowerShell. More complex and powerful logic that injects a binary into another process. • Third stage: Binary. Usually a PE DLL payload. More similar to traditional malware, but never touches disk. Common FileLess behavior
  • 30. 30 • An ideal FileLess pentest operation should cover the following phases: 1. FileLess Infection. 2. Installation of FileLess Backdoors. 3. Gain FileLess Persistence. Operation Process
  • 31. 31 • Infection without sending any files. • Not common. Even known FileLess APT operations use some kind of files in this stage. • Preferably, we need to deliver the exploit before the application layer. • Inside a stream. • At the lower network layers (e.g. SMB or SSL exploits). • Open network services (e.g. Eternalblue). FileLess Infection
  • 32. 32 • Configuration only backdoors (no code). • Some popular: • Create user + Remote exec (Psexec/Sc, WMI, SchTasks, WinRM, PSRemoting). • Binary Image Hijack + Remote Desktop. • Silver/Golden tickets. • Proxy + Decrease security. FileLess Backdoors
  • 33.
  • 34. 34 • First stage: Registry Autostart entries. • Run entries. • Scheduled tasks. • Image hijacks. • WMI. • Services (not very elegant). • Usually too noisy! For a human analyst but harder to detect with automated tools because we are not using any files. FileLess persistence
  • 36. 36 • Full pentest operations are possible without using any files (or almost). • We need some “resident” artifacts on the system, but these can be very small and can be easily hidden. Conclusions
  • 37. 37 • Questions? Comments? • https://twitter.com/rpinuaga Thanks
  • 38. 38 • A lot of ideas taken from: • Casey Smith: https://twitter.com/subtee • Didier Stevens: https://twitter.com/DidierStevens • Alex Abramov: https://twitter.com/codereversing • Rob Fuller: https://twitter.com/mubix • Cneelis: https://twitter.com/Cneelis • Matt Nelson: https://twitter.com/enigma0x3 • Matt Graeber: https://twitter.com/mattifestation • James Foreshaw - https://twitter.com/tiraniddo Previous research
  • 40. DEMO: Proxy + Authenticode • Convince the user to execute a .REG file • Configure Proxy • Disable Authenticode validation • Wait for EXE download