Living off the land and fileless attack techniques (PDF)

Almost all these lists are the result of known malware use of the processes noted. What about all the processes that can be abused by malware by haven't yet been used maliciously?

 

There are only so many processes that can be abused, and if a new one pops up, you add it to the list. I've just checked it, there are 462 apps in the C:\Windows\System32 folder, and only some are useful to malware.

 

The reality is, it is more effective to run UAC at max. level since most of the abuses cannot bypass this than to be constantly maintaining third party block lists. Additionally, there is always the potential for blocking a legit use of the utility using third party block and their corresponding exception lists.

 

UAC won't help, if you already gave the process admin rights, it can do what it wants, and UAC is annoying as hell. But let's not start that discussion again.

 

You can use exploit kits to load fileless attacks (reflective dll injection) without the need of using the interpreter itself, (example, running powershell agents without needing powershell.exe).

You can even load the meterpreter as a reflective DLL directly into the memory and without using hosts processes.

so normally anti-exe, which usually don't have any memory protection, won't react at all, so they are effectively bypassed because nothing is on the disk.

 

What software do you know that offer memory protection? You mentioned Appguard. But what about HMP.A, MBAE and well-known antiviruses?

 

@Azure Phoenix Appguard offer some process memory protection (against read/copy/modification of a process by another), HMPA and MBAE offer various robust protection, to be simple any soft with some memory protection feature may protect you in some extent.

Basically classic anti-exe we are used to use won't protect you unless they implement some memory protection, and at the moment none does that, why? simply because it is not their role

Even Win10 and AMSI offer decent protection, from what i heard powershell-based attacks have around 5 more years to live until MS AMSI caught most of them.

 

Best example of this does not need an exploit. A .Net program can directly execute Powershell assemblies. Whereas setting Powershell to managed mode will mitigate this, such is not the case for code directly imbedded in a C/assembler language based program. Additionally, Powershell can be run from WMI consumer and cmd events. Since WMI uses its own script engine that is not monitored by conventional security software, it will run unimpeded.

It is important to realize that the AMSI in Win 10 must first be employed by the security software. Only a handful presently use it. Next, AMSI only monitors the following direct three script executions; PowerShell, wscript, and jscript. AMSI's primary purpose is to suspend execution of packed and obfuscated scripts until they are unpacked and unobfuscated at which time interfacing AV realtime scan engines can examine them for malicious code.

 

Exact, it what i was saying, by exploit kits, i meant some plateform/framework available on a certain Linux distro. i didn't wanted to go to deep in details or give the tools names.
but you and me know which ones we talk about

yes i know, unfortunately for common users.

 

Yes correct, but I wasn't talking about exploits, that is a different story. But often when malware is active in memory, there comes a point they will try to run a system process, and then you can catch them.

 

by exploit kits i talk system exploitation kits , no a kit using exploits...

Nope. if it was the case i won't even mention it. They can even embark they own interpreter/meterpreter which will be loaded all in memory; no need to touch the disk, no .exe created.

 

Yes, I know what you mean. Malware can run from inside memory and don't always need to launch system tools. So it's best to block exploit at stage 1, and if that fails, you should isolate the exploited process. So this means, the browser should be blocked from performing code injection and from having access too important data. According to peter2150, it's possible to bypass Sandboxie via Powershell, but I really don't see how this is possible.

 

Yep, memory protection of anti-exploits (and of some other softs) is the only way, because those fileless attacks don't create a process, they inject into an active one, some people don't even knows about that and strictly believe that you must execute a Windows process to infect anything.
In general, if something can't protect the memory, it can be bypassed.
It is why anti-exploits are a must have and why MS implement EMET by default on next build of Win10.

yep.

maybe by using meterpreters by specific methods i guess.
I know Sbie has some IPC blocking feature, but the list is empty by default.

 

In regards to recent fileless malware attacks, many are now using a two stage attack whereby one of the registry auto run keys are being modified in initial infection. Then at boot time the main malware infection is delivered from the code stored in that modified key.

Below are two references on malware execution via registry key.

This article covers the normal registry auto run keys used: http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/ .

This article repeats the same key references but adds some additional ways that malware uses for persistence: https://andreafortuna.org/malware-persistence-techniques-812b02725f9a. As far as the COM reference give not a lot of detail is given. But a very recent example of use via registry run key is shown here: https://www.wilderssecurity.com/thr...rom-infection-to-payload.395860/#post-2696277

 

On the other hand, when we look at protecting consumers, the number one app that is attacked by exploits are browsers. And browsers like Chrome, Edge and soon Firefox, are already becoming very hard to exploit. I would be more worried about malware (executed by user) that is using system processes, in the document they call this dual-use tools. I don't think we will be seeing true "in-memory" malware like ransomware, targeting consumers anytime soon, see link. So it remains important to simply block system tools from being launched.

http://blog.secdo.com/multiple-groups-exploiting-eternalblue-weeks-before-wannacry

 

ah finally, your link show EB-DP "Dropper" and the "Patient Zero" i was kept mentioning and many ignored:

so basically any anti-exe/SRP and a properly set firewall would block EB in the first place. attacks doesn't appears magically in a network or system. you must have an entry point.

Also, the whole article just acknowledge my demonstration explaining about EB-DP i made in the past .
If EB manage to be executed, it is game over (point 2) because it can create DP (which seems to be point 3), so EB-DP is all about lsass.exe being injected (as i said millions times) not about the execution of Rundll32.exe (which is one of the following stages of the attack) or other tools...

EB-DP is multi-stage attack , starting with a dropper loading EB -DP or via a connection via publicly opened SMB port (445) > then EB spread, the network is exploited by via SMB vulnerability, > then EB as a kernel exploit (running at SYSTEM) inject code into lsass.exe > which lead to DP creation > which create a Reverse TCP connection (via rundll32.exe) > which allow the implementation of other tools by the attacker via the said reverse connection.

 

Yes correct, but that WannaCry stuff is old news. The reason why I posted the article, is because it's about malware that is truly in-memory, all malicious actions are done from inside a system process. Depending on the goal of in-memory malware, it may or may not need to use other system tools, that need to be spawned. If this is the case, the whole attack isn't completely file-less anymore, and AE can block it. I don't expect to see these kind of attacks on home users.

 

Exact; some of those "in-memory attacks" may embark those tools and don't even needs to touch the disk or even make a reverse connection. Tools are just present to give the attackers more options once the system is compromised.

Indeed, unless the attacker target a specific person
Those kind of staged attacks needs some skills to prepare them.

 

https://www.infosecurity-magazine.com/news/fileless-malware-on-the-rise/

 

I believe no one here on Wilders will dispute this fact.

 

Symantec reveals state-sponsored group that doesn’t care for malware

https://www.cyberscoop.com/malware-less-cyber-espionage-hacking-group-symantec-research/

 

Banks in West Africa Hit with Off-The-Shelf Malware, Free Tools
January 17, 2019
https://www.bleepingcomputer.com/ne...ca-hit-with-off-the-shelf-malware-free-tools/

Symantec blog: Attackers using commodity malware and living off the land tools against financial targets