Living off the land and fileless attack techniques (PDF)

Discussion in 'other security issues & news' started by WildByDesign, Jul 12, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,219
    Location:
    Toronto, Canada
    Internet Security Threat Report
    Living off the land and fileless attack techniques

    Analyst: Candid Wueest
    Contributor: Himanshu Anand


    Link: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf

    Guys/Gals, this one is a real gem. Definitely a long read though but worthwhile for those with an interest in this subject.. :thumb:
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    Definitely an up to date article since they provided tech details on the recent Ukraine #NotPetya attack.

    Of note is how PowerShell can run from a WMI Comsumer Event cmd script. Although I haven't tested, I believe this will also bypass most HIPS and anti-exec detection of cmd script execution since WMI uses its own script engine.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,545
    Location:
    U.S.A. (South)
    WoooHoo A good read and as itman makes note of, up to date recent.

    Still waiting though on itman to find that magic wand to share on WMI malicious event prevention. Not just to monitor and log but a WMI Consumer Event prevention technique vaguely hinted at in another post but sourced from a distant language and land.

    That clever attachment technique to fire up a malicious Power Shell command via WMI Consumer Event script IMO is something which should not to be overlooked as evidenced by recent incursions into that section.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    First, WMI hacking requires admin privileges. However, since privilege escalation by malware is becoming trivial these day's, we'll move on.

    You want to prevent WMI abuse to create malicious Consumer Event cmd and wscripts, etc... Anything else is "post execution" mitigation and marginally effective.

    You want to monitor via HIPS or anti-exec, the execution of WMIC.exe and WbemTest.exe in Windows\System32 and SysWow64\wbem directory. Although remote execution of WMI is difficult, it can be done as noted here: https://www.loadtestingtool.com/blog/general/connecting-to-wmi-on-remote-system/ . So, you need to create a firewall rule to monitor/block any inbound and outbound activity from svchost.exe - Winmgmt service.

    -EDIT- Will also add this comment that applies to WMI and other functions.

    If you use the Pro+ versions of Windows, make "dog on sure" you have remote desktop fully locked down. What many folks don't realize is that in the Home versions, RDP has limited functionality; primarily for remote assistance, etc.. On the Windows enterprise versions, RDP is fully functional and is increasingly being used by hackers. So much so, many AV vendors are recommending that all AV GUI settings be password protected to avoid having the AV disabled via RDP connection.
     
    Last edited: Jul 13, 2017
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    In regards to the use of PsExec in the recent NotPetya attack and other recent attacks, make sure you have a HIPS or anti-exec rule to block C:\*\psexec.exe execution. In the NotPetya attack, the malware actually installed PsExec if not previously installed, in any directory it could find. Since it is a valid Microsoft signed .exe, it would pass any signature checking. The preferred place malware would installed it as long as it has privileges to do so (not an problem w/NotPetya attack,) would be the Windows\System32 directory to avoid whitelisting detection.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,102
    Location:
    Saudi Arabia/ Pakistan
    Can you just block there execution. Any problems?
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,751
    Location:
    EU - Slovenia
    That would only prevent malware from spreading to other computers in network and wouldn't prevent infection of system.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    I have same HIPS rules and no problems so far. Will report back if any encountered in Aug. Win 10 cumulative monthly update.

    WMIC is the WMI command line option. WbemTest is really only used for manual WMI diagnostics. Also, I make HIPS rules like this "ask" ones so something necessary isn't blocked.
     
    Last edited: Jul 14, 2017
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    PsExec has most of the capability of Powershell. It has no business existing on most home users PCs. In corp. environments, it would only be needed, if used, on servers.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,751
    Location:
    EU - Slovenia
    I agree. Just tried to point out that blocking it won't block infection.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    Technically, yes. In reality, no.

    PsExec was used for privilege escalation and credential modification that allowed for worm like propagation of the ransomware throughout the network. Of note is in the NotPetya attack, PsExec and WMIC were both deployed first and only if those failed was exploit by EternalBlue and EternalRansom then deployed.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,751
    Location:
    EU - Slovenia
    Yes as I pointed out in my first reply. Blocking it will protect computers on same network but not the system itself.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    Although not used in the Ukranine M.E. Doc incident, guess I should include this "abuse" of WMI.

    WMIPrvSE.exe has been targeted in the past by the likes of Kovter as noted below. Running with System privileges, it is the ideal target to perform memory based reflective .dll via process hollowing against.

    https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,947
    Location:
    The Netherlands
    Thanks, will do some reading. But it seems like none of these "file-less malware" can be installed without running a system process. So monitoring these "vulnerable system processes" should be enough to stay safe.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    The question is "which ones to monitor?" Each day, malware is using a new Win utility or like process to do its "dirty work."

    This really in my opinion is a Microsoft issue. For starters, many of these utilities have been deprecated and should be removed from Win OS versions; especially the Home versions. For the others, their privileges could be modified to only run with System privileges which would require special startup methods to run them.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,102
    Location:
    Saudi Arabia/ Pakistan
    That is practically impossible. You can't deal with hundreds of pop up alerts if you monitor them and you will never know if the pop up alert is about a legit activity or a malicious one.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,438
    And that is assuming you are the user. If you have another user on your system, it is beyond impossible. It would be pointless.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,947
    Location:
    The Netherlands
    Are you guys familiar with EXE Radar? It will allow you to make a list of system tools often used in attacks, and normally you will almost never see any alert, unless apps are triggering rundll32, regsvr32 or cmd.exe.

    Whether you allow them is a matter of trust, and you have to know if it makes sense for a certain app to trigger them. When in doubt, block it. And if other system tools are being run, then it's likely you're dealing with malware.

    http://www.novirusthanks.org/products/exe-radar-pro/
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    You can likewise do the same in any HIPS.

    However, none of those are the OS system "utility" processes that are currently being or could be abused by malware. For example, think along the line of any existing command line initiated process existing in System32 directory for starters.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,947
    Location:
    The Netherlands
    I really don't have a clue what you mean. I suggest you check out EXE Radar, you can make a list of the most abused system processes, and it will alert you every time some process is trying to launch it. It would have even tackled the WannaCry ransomware being launched via an infected lsass.exe process. Same goes for VoodooShield.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
    You can do the same with any HIPS or anti-exec. However, you first have to know all the utility processes that exist in the Windows subdirectories.
     
    Last edited: Jul 25, 2017
  23. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,658
    Location:
    U.S.A.
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,947
    Location:
    The Netherlands
    With most HIPS, it isn't this easy to configure. And as you have seen there already are lists of system processes often being abused. Like I said, most legitimate apps won't trigger any alerts, you might sometimes see them running rundll32, regsvr32 and cmd.exe, and it's up to you to decide if the behavior is normal or not. For example, if I install some browser and it tries to run powershell.exe, you already know something fishy is going on.
     
Loading...