Living off the land and fileless attack techniques (PDF)

Discussion in 'other security issues & news' started by WildByDesign, Jul 12, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,021
    Location:
    Toronto, Canada
    Internet Security Threat Report
    Living off the land and fileless attack techniques

    Analyst: Candid Wueest
    Contributor: Himanshu Anand


    Link: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf

    Guys/Gals, this one is a real gem. Definitely a long read though but worthwhile for those with an interest in this subject.. :thumb:
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    Definitely an up to date article since they provided tech details on the recent Ukraine #NotPetya attack.

    Of note is how PowerShell can run from a WMI Comsumer Event cmd script. Although I haven't tested, I believe this will also bypass most HIPS and anti-exec detection of cmd script execution since WMI uses its own script engine.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,365
    Location:
    U.S.A. (South)
    WoooHoo A good read and as itman makes note of, up to date recent.

    Still waiting though on itman to find that magic wand to share on WMI malicious event prevention. Not just to monitor and log but a WMI Consumer Event prevention technique vaguely hinted at in another post but sourced from a distant language and land.

    That clever attachment technique to fire up a malicious Power Shell command via WMI Consumer Event script IMO is something which should not to be overlooked as evidenced by recent incursions into that section.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    First, WMI hacking requires admin privileges. However, since privilege escalation by malware is becoming trivial these day's, we'll move on.

    You want to prevent WMI abuse to create malicious Consumer Event cmd and wscripts, etc... Anything else is "post execution" mitigation and marginally effective.

    You want to monitor via HIPS or anti-exec, the execution of WMIC.exe and WbemTest.exe in Windows\System32 and SysWow64\wbem directory. Although remote execution of WMI is difficult, it can be done as noted here: https://www.loadtestingtool.com/blog/general/connecting-to-wmi-on-remote-system/ . So, you need to create a firewall rule to monitor/block any inbound and outbound activity from svchost.exe - Winmgmt service.

    -EDIT- Will also add this comment that applies to WMI and other functions.

    If you use the Pro+ versions of Windows, make "dog on sure" you have remote desktop fully locked down. What many folks don't realize is that in the Home versions, RDP has limited functionality; primarily for remote assistance, etc.. On the Windows enterprise versions, RDP is fully functional and is increasingly being used by hackers. So much so, many AV vendors are recommending that all AV GUI settings be password protected to avoid having the AV disabled via RDP connection.
     
    Last edited: Jul 13, 2017
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    In regards to the use of PsExec in the recent NotPetya attack and other recent attacks, make sure you have a HIPS or anti-exec rule to block C:\*\psexec.exe execution. In the NotPetya attack, the malware actually installed PsExec if not previously installed, in any directory it could find. Since it is a valid Microsoft signed .exe, it would pass any signature checking. The preferred place malware would installed it as long as it has privileges to do so (not an problem w/NotPetya attack,) would be the Windows\System32 directory to avoid whitelisting detection.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,088
    Location:
    Saudi Arabia/ Pakistan
    Can you just block there execution. Any problems?
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,768
    That would only prevent malware from spreading to other computers in network and wouldn't prevent infection of system.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    I have same HIPS rules and no problems so far. Will report back if any encountered in Aug. Win 10 cumulative monthly update.

    WMIC is the WMI command line option. WbemTest is really only used for manual WMI diagnostics. Also, I make HIPS rules like this "ask" ones so something necessary isn't blocked.
     
    Last edited: Jul 14, 2017
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    PsExec has most of the capability of Powershell. It has no business existing on most home users PCs. In corp. environments, it would only be needed, if used, on servers.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,768
    I agree. Just tried to point out that blocking it won't block infection.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    Technically, yes. In reality, no.

    PsExec was used for privilege escalation and credential modification that allowed for worm like propagation of the ransomware throughout the network. Of note is in the NotPetya attack, PsExec and WMIC were both deployed first and only if those failed was exploit by EternalBlue and EternalRansom then deployed.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,768
    Yes as I pointed out in my first reply. Blocking it will protect computers on same network but not the system itself.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    Although not used in the Ukranine M.E. Doc incident, guess I should include this "abuse" of WMI.

    WMIPrvSE.exe has been targeted in the past by the likes of Kovter as noted below. Running with System privileges, it is the ideal target to perform memory based reflective .dll via process hollowing against.

    https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,197
    Location:
    The Netherlands
    Thanks, will do some reading. But it seems like none of these "file-less malware" can be installed without running a system process. So monitoring these "vulnerable system processes" should be enough to stay safe.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,528
    Location:
    U.S.A.
    The question is "which ones to monitor?" Each day, malware is using a new Win utility or like process to do its "dirty work."

    This really in my opinion is a Microsoft issue. For starters, many of these utilities have been deprecated and should be removed from Win OS versions; especially the Home versions. For the others, their privileges could be modified to only run with System privileges which would require special startup methods to run them.
     
Loading...