The Fileless Attack SURVIVAL GUIDE
Protect Your Company from Attacks Antivirus Can’t Block
THE FILELESS ATTACK SURVIVAL GUIDE 1 Table of Contents
3 Executive Summary
5 Introduction
8 Types of fileless attack techniques
10 How attackers use them to…
11 ...... Gain initial access
13 ...... Escalate privileges
15 ...... Execute payloads
17 ...... Gain persistence
19 ...... Achieve lateral movement
21 Practical tips for preventing and mitigating fileless attacks
22 Fileless Attack Checklist
THE FILELESS ATTACK SURVIVAL GUIDE 2 Executive Summary
Attacks are constantly evolving. One of the most damaging trends we’ve seen of late is the increasingly widespread adoption of fileless attack techniques. These techniques are designed to silently infect target systems without ever downloading malicious programs or leaving behind any obvious trace, primarily by using a victim company’s trusted software and system tools against it.
To clarify what actually constitutes a fileless attack and explain how it can work, here are three things every business leader should know:
1 Fileless attacks exploit a fundamental gap in traditional endpoint security Traditionally, attacks involving malware have revolved around attackers gaining access to a victim’s computer (typically by either exploiting a software vulnerability or tricking the victim into downloading something he or she shouldn’t), and then installing an executable file (the “payload”) that does the damage.
The problem with this approach from an attacker’s perspective is that antivirus solutions are built to scan and block any suspicious files that land on the computer. By not installing malicious files, however, attackers can simply bypass these solutions. All they need to do is hijack otherwise legitimate system tools and processes to do their dirty work for them.
2 There are a variety of fileless techniques becoming more widespread Exploiting vulnerable applications and injecting code into normal system processes are both popular fileless techniques for gaining initial access and execution on target systems without getting noticed.
Once the initial compromise is complete, attackers can continue avoiding detection by abusing powerful built-in administration tools like PowerShell and Windows Management Instrumentation (WMI). Because these tools have legitimate use cases, they allow attackers to hide in plain sight while they escalate privileges, move laterally throughout the network, and achieve persistence by making changes to the registry.
3 Fileless attacks can be stopped (just not by AV) While fileless techniques can be extremely difficult to detect, there are things you can do to protect your business and reduce your risk. With no files to scan, however, detecting and blocking fileless attacks ultimately comes down to your organization’s ability to take proactive preventative measures and identify malicious activity and behaviors on the endpoint in real-time — ideally before any damage is done. Find out how Barkly can help you do just that.
THE FILELESS ATTACK SURVIVAL GUIDE 3 EXECUTIVE SUMMARY
Key Takeaways
• “Fileless” has become a handy shorthand to describe a variety of attack techniques ranging from malicious code injection to abusing legitimate, built-in system tools.
• These techniques help attackers avoid dropping malicious executable files on disk, which means they can’t be detected by file-scanning AV solutions.
• New attack tools and frameworks have made it easier for common criminals to use fileless attack techniques. As a result, they’re gaining widespread adoption.
• 42 percent of organizations experienced one or more fileless attacks that successfully compromised their data or IT infrastructure in 2017. (Ponemon Institute)
• 77 percent of successful compromises in 2017 involved fileless techniques. (Ponemon Institute)
• Fileless attack techniques can be used to gain initial access to a system and/or to accomplish a wide variety of post-exploitation activities.
• By utilizing exploits and code injection techniques attackers can filelessly load and execute malicious code directly in memory.
• Attackers can gain persistence on compromised machines by storing malicious scripts in the registry.
• By abusing powerful legitimate system administration tools like PowerShell and Windows Management Instrumentation (WMI), attackers can carry out malicious activities without raising red flags.
See the checklist in the appendix for a complete list of practical steps every company should take to mitigate these threats.
THE FILELESS ATTACK SURVIVAL GUIDE 4 Introduction
Yes, we get it. The term “fileless” is confusing. It sounds like yet another new marketing buzzword, but what it actually refers to are evasive attack techniques that, in many cases, have been around for quite a while.
Why all the fuss about “fileless” techniques now?
For one thing, they’re more prevalent. As new attack tools and frameworks make these techniques easier to use they’re getting more popular and widespread.
Another reason is they’re working.
The Ponemon Institute recently found that 77 percent of successful compromises involved fileless techniques, and that attacks incorporating fileless techniques were 10x more likely to succeed than traditional file-based attacks.
That success highlights obvious gaps in the traditional endpoint security approach of scanning files to identify malware (hence the marketing interest from new vendors).
Buzzwordiness aside, the wider adoption of fileless attack techniques is a real problem. We all need to be aware of it, and we need to be taking steps to address it. That’s what this guide is all about.
54% 77% of companies experienced one or more of those attacks utilized successful attacks that compromised exploits or fileless techniques data and/or IT infrastructure
THE FILELESS ATTACK SURVIVAL GUIDE 5 INTRODUCTION
First, let’s clear things up.
Confusing terms you won’t see in this guide (except for right here):
• Fileless malware This may currently be the most widely-used term, but it’s also responsible for the majority of the confusion on this topic. Doesn’t malware refer to executable programs and files? How can it be fileless? If it is “fileless” is it really malware? What is “malware,” anyway? Rather than get lost in such deep, existential questions let’s just agree it’s a bad term and move on.
• Non-malware We’ve never found it very useful to name something based on what it isn’t. It’s like an app that labels anything that isn’t a hotdog “Not hotdog” — it’s not especially helpful or descriptive.
THE TERM “FILELESS” IS BEST USED TO DESCRIBE:
Attack techniques that provide alternatives to dropping malicious executable files on disk.
While we’re at it, a few other things fileless attacks aren’t:
• Fileless attacks aren’t new Using the term “fileless” to describe attacks that don’t leave executable files behind on the victim’s hard drive is all the rage now, but that doesn’t mean the concept is new. In fact, attacks that store malicious code solely in memory date back to the prolificCode Red and SQL Slammer worms of the early 2000s. For a good history of fileless attacks and usage of the term, see this post from Lenny Zeltser.
• Fileless attacks aren’t rare According to the Ponemon Institute’s 2017 State of Endpoint Security Risk report, 42 percent of organizations experienced one or more fileless attacks that successfully compromised their data or IT infrastructure in 2017.
THE FILELESS ATTACK SURVIVAL GUIDE 6 INTRODUCTION
• Fileless attacks aren’t always exclusively fileless at every stage Super shocking statement alert: Attacks can involve files and fileless techniques — they’re not mutually exclusive (gasp!). For example, many attacks may begin in a traditional way we’ve all become accustomed to (say, a user opens a file attached to a spam email), but once initial compromise is established, they can shift to using fileless ways of gathering information and spreading. Vice versa, attackers can also gain initial compromise filelessly (by exploiting a vulnerability, for example), and then use that access to deploy malicious executable files. The point is attackers can leverage both files and fileless techniques at different stages during an attack. For that reason, rather than get into semantic disputes over which attacks are truly fileless and which aren’t, let’s acknowledge that often what the term “fileless” is actually referring to are the techniques attackers use to avoid dropping malicious executable files on disk.
THE FILELESS ATTACK SURVIVAL GUIDE 7 Types of Fileless Attack Techniques
In-memory Script-based By utilizing exploits and code Scripts can be used as droppers injection techniques attackers can in early attack stages and for a load and execute malicious code wide variety of post-exploitation directly in memory. activities.
Living off the land Registry-resident By abusing powerful legitimate system Attackers can gain persistence on administration tools like PowerShell, compromised machines by storing Windows Management Instrumentation, malicious scripts in the registry. Kovter PsExec, etc. that are built into Windows, and the QakBot banking trojan are two attackers can carry out malicious notorious examples of malware that sets activities without raising red flags. For up shop via autorun registry entries to more on “Living off the land” techniques, help it survive system reboots and make see Symantec’s ISTR report on the topic. itself frustratingly difficult to remove.
A good hacker avoids the use of malware and code exploits whenever possible. There’s no sense in using malicious code when simpler and quieter means are available.
— LESLEY CARHART, TISIPHONE.NET
THE FILELESS ATTACK SURVIVAL GUIDE 8 TYPES OF FILELESS ATTACK TECHNIQUES
Why attackers love fileless techniques
• They evade detection By operating in memory or residing in the registry, attacks can avoid being detected by many of today’s security solutions.
• They leave little trace for forensics With few artifacts to examine, attacks are harder to attribute and reverse engineer.
• They use your own tools against you Abusing legitimate administration tools and utilities allows attackers to bypass whitelisting and hide in plain sight.
• They’re easier to execute than ever Thanks in part to pentesting frameworks like Metasploit, Empire, Cobalt Strike, PowerSploit, etc. many fileless attack techniques are pre-packaged and available to anyone, regardless of their motives or technical expertise. In particular, Meterpreter, a component of Metasploit specializing in in-memory attacks, has been tied to a wave of fileless attacks carried out against banks and financial institutions in 2017.
• They work An estimated 77 percent of successful compromises in 2017 involved fileless techniques (Ponemon Institute’s 2017 State of Endpoint Security Risk).
Signature-based detection solutions commonly factor into businesses’ defensive strategies. The same cannot be said of tools that scan computer memory for malware. Attackers know this, which is why many bad actors now resort to memory space, privileged-level APIs, and the Windows registry to conceal their digital threats.
— DAVID BISSON, T RIPWIRE
THE FILELESS ATTACK SURVIVAL GUIDE 9 TYPES OF FILELESS ATTACK TECHNIQUES
How attackers use fileless techniques
To understand how attackers are using fileless techniques, let’s look at how attacks are structured.
At a high level, attacks can be broken down into two primary stages: the initial compromise that gives attackers access to the system, and the post-exploitation activities they conduct once they have access.
Attackers have different goals during each of these stages, and there are wide varieties of fileless techniques they can utilize to accomplish them (with the list of options growing all the time). Let’s cover some prominent examples.
THE FILELESS ATTACK SURVIVAL GUIDE 10 STAGE 1 OF AN ATTACK Initial compromise
Goal: Gain a foothold on the target system
Example fileless methods of achieving that goal:
ATTACK METHOD
Remote code execution exploits
Exploiting vulnerabilities in software or operating systems can allow attackers to gain access and control over a machine. Prominent examples of attacks exploiting remote code execution (RCE) vulnerabilities include the WannaCry and NotPetya outbreaks (which utilized the EternalBlue exploit), and the Equifax breach, in which attackers were able to exploit a vulnerability in the company’s unpatched version of Apache Struts and use it to execute malicious commands.
ATTACK METHOD
Brute force attacks
While we tend to think of attackers gaining access to computers primarily via malicious emails or exploit kits, a large number of attacks start off much more simply — attackers just guess their way past weak passwords. In fact, brute force attacks have become the compromise of choice for a growing number of ransomware groups (SamSam, CrySiS, BTCWare, etc.), who specifically target organizations with Remote Desktop Protocol (RDP) exposed to the Internet.
RDP is a protocol developed by Microsoft as a remote management tool. It is commonly exposed in internal networks for use in administration and support, but when it’s exposed to the wider Internet it can be a beacon for attackers. Port scanning tools like Nmap and masscan make it incredibly easy for attackers to hone in on devices with vulnerable RDP connections, and launching attacks that way allows them to bypass a wide variety of security solutions.
RDP isn’t the only potential target for brute force attacks, of course. Other remote access tools like Teamviewer are also frequently targeted (though many have mitigations such as account lockouts or progressive delays built in).
THE FILELESS ATTACK SURVIVAL GUIDE 11 STAGE 1 OF AN ATTACK: INITIAL COMPROMISE
ATTACK METHOD
Script-based attacks
Strictly speaking, the use of scripts (PowerShell scripts, VBScript, JavaScript, etc.) and macros (code embedded into Microsoft Office documents written in VBA) to gain initial compromise isn’t a completely fileless process. Scripts often come embedded inside archive files (.zip, .rar, .7z, etc.) or otherwise benign files like Microsoft Office documents or PDFs. There’s also the script files, themselves, but these can be easily obfuscated and difficult to detect.
Once executed, scripts and macros can serve as downloaders and payload launchers, or they can trigger a wide variety of fileless post-exploitation activity.
In any of the cases described above, once the initial compromise is successful attacks can move forward in either a traditional file-based or a fileless direction.
Macro in Word doc activates PowerShell.
Phishing email with Word doc attachment.
PowerShell downloads PowerShell runs malicious an executable file to disk code directly in memory. and runs it.
THE FILELESS ATTACK SURVIVAL GUIDE 12 STAGE 2 OF AN ATTACK Post exploitation
Once a machine has been compromised, an attacker’s attention can shift to accomplishing a wide variety of post-exploitation goals, from launching malicious payloads to moving laterally throughout the network.
Here are several examples, along with fileless techniques attackers use to achieve each. Goal: Privilege escalation Unless an attacker has the good fortune of landing on a machine with administrator privileges, initially the amount of access and functionality they have is going to be limited. This often makes privilege escalation one of the first orders of business during an attack.
Example fileless methods of achieving that goal:
ATTACK METHOD
Bypassing User Account Control (UAC)
Depending on settings, Windows User Account Control can allow or deny a program the ability to elevate its privileges by prompting users for confirmation. To get around this, attackers can hijack legitimate Microsoft programs and tasks that are designed to auto-elevate — meaning they can be launched by unprivileged users but they run with elevated privileges. In doing so, attackers can execute PowerShell scripts and commands they otherwise couldn’t, and launch high-privilege programs without triggering UAC prompts. Security researcher Matt Nelson has documented several of these workarounds, including using SilentCleanup, eventvwr.exe, and sdclt.exe.
There are many other methods of bypassing UAC, but they generally require dropping a file to disk (ex: dropping a DLL to perform a DLL hijack).
TOOLS ABUSED MITIGATION • Windows Task Scheduler Use the highest UAC enforcement level whenever possible, including setting UAC level to “Always notify” (yes, this can be annoying), • Microsoft-signed binaries remove users from the local administration group, and enable Admin that auto-elevate (ex: Approval Mode to enforce UAC for the built-in Administrator. eventvwr.exe, sdclt.exe)
THE FILELESS ATTACK SURVIVAL GUIDE 13 STAGE 2 OF AN ATTACK: POST EXPLOITATION
ATTACK METHOD
Dumping credentials
There are several places where Windows stores credentials — (LSASS process memory, the Security Accounts Manager (SAM) database, and Credential Manager to name a few — and they can even include credentials of domain users and admins who have logged into the machine. Attackers and penetration testers have naturally developed tools and tactics to take advantage of this. We’ll cover specific examples in more detail inthe Propagation section.
REAL-WORLD EXAMPLE:
Fareit Just a few months after Matt Nelson’s post on the eventvwr.exe UAC bypass was published researchers spotted attackers using it to distribute the information-stealing malware Fareit. Fareit adds a registry entry.
Fareit adds an entry to the registry that establishes the malware (in this case, “sick.exe”) will execute any time a .msc (Microsoft Saved Console) file is opened.
Then it launches Microsoft’s Event It then launches eventvwr.exe, which queries that registry key and Viewer, which queries HKCU\ runs the malware (sick.exe) in its Software\Classes\mscfile\shell\open\ place, retaining high privileges. command in order to start mmc.exe (Microsoft Management Console) and open eventvwr.msc, which now executes Fareit, instead. Because eventvwr.exe doesn’t require UAC permission to run with high-privilege, any child process it executes (in this case, Fareit) will run with high- privilege without triggering UAC prompts, too.
Note: While this attack abused eventvwr.exe to launch an executable file, to keep the attack fileless it would be just as easy to substitute “sick.exe” for any malicious PowerShell script or command attackers want.
THE FILELESS ATTACK SURVIVAL GUIDE 14 STAGE 2 OF AN ATTACK: POST EXPLOITATION
Goal: Launch attack payload(s) To avoid writing malicious files and scripts to disk (subjecting them to AV scanning and possible detection), attackers have several ways of loading and executing them directly from memory, instead. These techniques primarily rely on injecting malicious code into a legitimate process (often with the help of PowerShell and/or Windows API functions), thereby hijacking its memory space and privileges to execute.
The techniques below are two of the most common fileless methods of process injection. You can find a larger list (including methods that require writing a DLL to disk) on the Endgame blog here.
Example fileless methods of achieving that goal:
ATTACK METHOD
Reflective DLL Injection One of the most common ways attackers insert malicious code into a legitimate process is through DLL injection. Dynamic Link Library (DLL) files contain instructions that multiple programs can call on as needed during runtime. By writing a path to a malicious DLL in a host process, attackers can trigger that process to execute it. As researchers at ReaQta discovered, there is even a legitimate, trusted Microsoft program called Mavinject.exe attackers can use to conduct malicious DLL injection without raising red flags.
With reflective DLL injection, attackers are able to copy an entire DLL into process memory, which avoids having that DLL reside on disk (making it easily detectable) and being registered with the process it’s being injected into. Reflective DLL injection has become a popular technique heavily incorporated into attacks as well as penetration testing tools such as Metasploit, Cobalt Strike, Empire, PowerSploit, etc. which make deploying it easy.
TOOLS ABUSED MITIGATION • PowerShell Monitoring processes and API calls can result in a lot of noise to filter, but tools like Process Explorer, which provides a variety of info on • Metasploit’s Meterpreter active processes, including DLLs and memory-mapped files they’ve • Cobalt Strike’s Beacon loaded, and Get-InjectedThreads, which scans active threads on the system for suspicious start addresses, can help. There are also • Empire specific calls in the PowerShell operational log that can provide strong • PowerSploit, etc. indication of an attack.
THE FILELESS ATTACK SURVIVAL GUIDE 15 STAGE 2 OF AN ATTACK: POST EXPLOITATION
ATTACK METHOD
Process hollowing Another well-established evasive execution technique is process hollowing, which involves creating a suspended process, swapping out the original executable code from that process with a malicious payload, and resuming the process so the payload is executed. Sorebrect ransomware uses this technique to hijack svchost.exe, using the legitimate process as cover to run the malware’s encryption routine.
Researchers at enSilo presented a new, stealthier take on process hollowing at Black Hat Europe 2017. Dubbed “process doppelgänging,” it abuses the Windows NTFS Transaction feature and an outdated but still supported version of Windows process loader to hide malicious code in the memory of otherwise legitimate processes.
TOOLS ABUSED MITIGATION
• PowerShell One way of spotting traditional process hollowing activity is to monitor for processes being spawned with the CREATE_SUSPENDED flag.
REAL-WORLD EXAMPLE:
DoublePulsar EternalBlue (CVE-2017-145) exploits SMB vulnerability, loads DoublePulsar is the backdoor implanted shellcode in kernel memory. by the Eternal family of exploits (EternalBlue, EternalRomance, etc.) for remote payload execution. Shellcode in the kernel injects additional shellcode into the lsass.exe process, which can then load and run payloads via reflective DLL injection. For more details, see Countercept’s DoublePulsar analysis. Kernel shellcode injects shellcode into lsass.exe via Asynchronous Procedure Call (APC)
Reflective DLL injection loads and runs payload.
THE FILELESS ATTACK SURVIVAL GUIDE 16 STAGE 2 OF AN ATTACK: POST EXPLOITATION
Goal: Persistence Landing on a machine is one thing. Sticking around past a reboot and/or removal attempts is another. To avoid detection, attackers can create fileless load points that take advantage of several built-in Windows features and functionality.
Example fileless methods of achieving that goal:
ATTACK METHOD
Storing malicious scripts in the registry
The most common way of achieving fileless persistence is by planting malicious scripts in the Windows registry. Poweliks and later Kovter are two examples of malware that has evolved to become completely “registry resident,” with code spread across multiple registry keys and designed to be extracted and run on the fly whenever the machine restarts or a shortcut or batch files are triggered.
TOOLS ABUSED MITIGATION
• PowerShell The good news is because registry contents are stored on disk they can be monitored. Microsoft’s Sysinternals Autoruns program can help with inspecting registry keys and even has VirusTotal integration to help identify malicious entries.
ATTACK METHOD
Abusing Windows Management Instrumentation
Windows Management Instrumentation (WMI) provides system administrators with a wide range of powerful capabilities, including locally or remotely executing scripts via the command line tool wmic.exe or PowerShell. Those capabilities also make WMI an extremely useful tool for attackers, who can also abuse it to trigger scripts to execute based on various events such at startup, specific time of day, etc.
For more information on how attackers abuse WMI, see this paper by researcher Matt Graeber.
TOOLS ABUSED MITIGATION • PowerShell One way to combat malicious WMI abuse is to… use WMI. As Graeber explains, WMI event subscriptions can be created that log and respond to • WMI suspicious WMI activities (examples here and here).
THE FILELESS ATTACK SURVIVAL GUIDE 17 STAGE 2 OF AN ATTACK: POST EXPLOITATION
ATTACK METHOD
Scheduled tasks and group policy objects (GPOs)
Another basic way of establishing persistence is by creating scheduled tasks and using them to trigger scripts and commands. The QakBot trojan is a good example. Not only does it create a registry entry to automatically launch itself each time the infected computer starts up, it also creates two recurring, scheduled tasks to ensure it’s still running and hasn’t been removed. The first periodically attempts to launch QakBot, while the second launches a downloader to reinfect the machine should the payload be removed.
TOOLS ABUSED MITIGATION • PowerShell Monitor for scheduled task creation (event ID 4698). This PowerShell script from Netwrix creates instant alerts. • Task Scheduler
REAL-WORLD EXAMPLE:
Kovter Kovter is click-fraud malware well-known for its fileless persistence. Its latest method involves creating registry keys that run the payload command any time a file with a custom file extension (ex: .cnc9974d) is opened.
Kovter uses .lnk and .bat files pointing to files with the custom extension in orderto launch itself at each system startup.
Kovter creates benign files with that custom extension.
Registry run key set to execute a batch script file (.bat) that opens custom extension file.
Kovter creates registry Command uses mshta JavaScript activates key that executes to execute JavaScript. PowerShell, which malicious command every launches Kovter via time file with custom reflective DLL injection. extension is opened. Shortcut file (.lnk) pointing to custom extension file dropped in startup folder.
THE FILELESS ATTACK SURVIVAL GUIDE 18 STAGE 2 OF AN ATTACK: POST EXPLOITATION
Goal: Propagation Land and expand by achieving lateral movement.
Example fileless methods of achieving that goal:
ATTACK METHOD
Dumping credentials
Harvesting credentials stored on a compromised machine can be extremely useful for lateral movement, especially when password reuse is so high and there’s also a chance they can include credentials of domain users and admins who have logged into that machine. By using Mimikatz, an incredibly popular and versatile penetration testing tool, attackers can scrape cleartext passwords and NTLM hashes from the memory of lsass.exe (the process responsible for Windows authentication), or extract saved credentials from Windows Credential Manager (even domain credentials). Thanks to this PowerShell script, Mimikatz can be run entirely in memory.
Mimikatz isn’t the only option available to attackers. Metasploit’s Meterpreter payload can be used to pull account info from the NTDS.dit file (the database for Active Directory), including not only the current NT and LM hashes, but the saved history going back to 20 previous passwords.
Windows Credential Editor is another option. This legitimate administrative tool can be abused by attackers to grab NTLM credentials and Kerberos Tickets as well as dump cleartext passwords stored by Windows authentication packages.
Additional techniques can be found here.
TOOLS ABUSED MITIGATION
• Mimikatz Techniques for credential dumping are constantly evolving, but (when possible) a few basic steps like disabling credential • Metasploit’s Meterpreter caching, disabling or setting PowerShell in Constrained • Windows Credential Editor (WCE) Language mode when full functionality isn’t needed, and following the usual best practices around least privilege and • pwdump, etc. avoiding credential overlap across systems can go a long way towards making credential dumping more difficult.
THE FILELESS ATTACK SURVIVAL GUIDE 19 STAGE 2 OF AN ATTACK: POST EXPLOITATION
ATTACK METHOD
Lateral movement via admin tools designed for remote access and execution
One of the most notable aspects of the NotPetya outbreak (in addition to its use of the leaked EternalBlue exploit) was its abuse of the legitimate command-line tools PsExec and wmic.exe to execute copies of itself on remote machines. This helped the malware spread internally throughout infected networks.
While the technique wasn’t new, seeing it applied successfully to such a large-scale, high-profile attack caused other malware authors to take notice. The tactic has since been utilized by a variety of ransomware (ex: Sorebrect, HC7) and trojans (Emotet, QakBot, TrickBot, etc.).
TOOLS ABUSED MITIGATION
• PsExec Since both PsExec and wmic.exe require administrative credentials to fully leverage, credential dumping mitigation efforts apply here, as well. In • wmic.exe addition, network segmentation best practices and requiring two-factor • RDP authentication (2FA) can help provide barriers for lateral movement.
• PowerShell
• Metasploit
REAL-WORLD EXAMPLE
LSADump dumps NotPetya password hashes cached NotPetya utilized a modified version of in lsass.exe memory. LSADump (Mimikatz) to extract user credentials stored in the memory of the lsass.exe process. These can include credentials of domain users or admins who log into the machine.
It then used those credentials in an attempt to Credentials used with remote execution admin establish connections and remote execution tools PsExec and wmic. on other machines in the network using PsExec exe to spread infection to and wmic.exe. remote machines.
This approach has since been mimicked by several malware families...
THE FILELESS ATTACK SURVIVAL GUIDE 20 PRACTICAL TIPS FOR Mitigating your risk of fileless attacks
The good news is, in addition to the mitigation tips provided throughout this guide, there are several general, high-level things you can do to reduce your organization’s susceptibility to fileless attack techniques
1 Block activity, not just file signatures With no files to scan, detecting and blocking these attacks comes down to being able to identify malicious behaviors — ideally before damage is done. If you have the staff and resources to handle it, enabling and monitoring extended PowerShell logging can help you identify suspicious scripts. Alternatively, solutions like Barkly can help you proactively block malicious scripts automatically.
2 Beware macros Warn users to be extremely wary of Microsoft Office documents that prompt them to enable macros (or “enable content”), and utilize endpoint protection that blocks malicious macros before they can execute. Speaking of Microsoft Office, make sure you’ve taken measures to block DDE attacks, too.
3 Disable system admin tools you don’t use The liability they present simply isn’t worth it. First and foremost on the list is PowerShell. If disabling PowerShell isn’t a realistic option, consider using Constrained Language Mode to limit PowerShell to basic functionality, which makes many fileless attack techniques unusable.
4 Always be patching And when you can’t patch, isolate.
5 Practice the principle of least privilege Ensure that user access and privileges are limited to the bare minimum they absolutely need. Microsoft’s Just Enough Administration technology can help.
We’ve collected more detailed suggestions in the following checklist.
THE FILELESS ATTACK SURVIVAL GUIDE 21 BARKLY BEST PRACTICES The Fileless Attack Checklist Is Your Company Protected From Fileless Attack Techniques?
Preventing Initial Compromise The best defense against fileless attacks is to prevent attackers from gaining initial access to a machine in the first place.
VULNERABLE SOFTWARE □ Patch What You Can When vulnerabilities are disclosed, it’s only a matter of time before attackers begin exploiting them. Having a system in place to assess, test, and roll out patches is a vital first defense against attacks. □ Isolate What You Can’t Patching is vital, but not easy. Isolate systems you can’t patch quickly by restricting network access.
EXPOSED PORTS & SERVICES □ Secure Remote Desktop (RDP) Open ports with RDP exposed to the Internet are beacons for attackers. Restrict access to RDP listening ports by placing them behind a firewall and using a RDP Gateway. Enabling network-level authentication and changing the default listening port (TCP 3389) is also recommended. □ Secure Server Message Block (SMB) Disable SMBv1 and use firewalls torestrict SMB network activity. WannaCry and other attacks leveraging the EternalBlue exploit have shown just how vulnerable organizations become when exposing SMB.
EMAIL □ Block Common Malicious File Attachments In addition to the obvious (.EXE, .BAT), consider blocking script files (.JS, .VBS, etc.), archive files (.ZIP, .SFX, .7z), and even Office files (.DOC, .DOCX, etc.) and PDFs. □ Conduct User Awareness Training Many attacks still initially require users clicking something they shouldn’t. Training and inform your end-users about attacks that rely on deception and social engineering.
BROWSERS □ Utilize Ad-Blockers Even legitimate websites can serve as infection points thanks to malvertising.
MICROSOFT OFFICE □ Enforce Stricter Macro Controls Block macros in Office files downloaded from the Internet. Macros are abused to download malware and launch malicious scripts. □ Disable “Update Automatic Links At Open” in Microsoft Word This will prevent abuse of the DDE feature (now disabled by default) and similar threats. □ Disable OLE Packages Considering the long history of attackers abusing Microsoft’s object linking and embedding (OLE) feature, it’s best disabled when possible.
ALL OF THE ABOVE □ Use Barkly’s Endpoint Protection Platform Barkly prevents more attacks from successfully launching from any of these vectors. Learn more at barkly.com. The Fileless Attack Checklist
Mitigating post-exploitation fileless techniques Once attackers have access to a machine, they can evade detection by using fileless techniques and legitimate system administration tools to do their dirty work.
WHEN POWERSHELL ISN’T NECESSARY □ Disable It PowerShell is a powerful scripting framework that can provide attackers with a wide variety of dangerous functionality.
WHEN POWERSHELL IS NECESSARY □ Update to Latest Version of PowerShell It provides additional logging and updates to security features that can otherwise be bypassed on older versions (specifically version 2). □ Block Unsigned PowerShell Scripts While attackers can bypass this and other execution policy, attempts to do so can make attacks more visible. □ Consider Using PowerShell Constrained Language Mode It limits PowerShell to basic functionality, which will make many fileless attack techniques unusable. □ Enable and Monitor Extended PowerShell Logging Just be prepared for this to generate a lot of events. Tools like PowerShell Method Auditor can help process them.
SECURE & UTILIZE WINDOWS MANAGEMENT INSTRUMENTATION (WMI) □ Create Defensive Permanent WMI Event Subscriptions Its wide range of powerful admin capabilities make WMI a popular target of abuse, but they also make it a great tool for logging and responding to malicious activity. See examples here and here. □ If There’s No Need for Remote WMI Consider setting up a fixed port for WMI and blocking it.
APPLY APPLICATION CONTROLS □ Limit the Execution of Executables, DLLs, and Scripts with AppLocker How restrictive you can be with whitelisting will depend on your organization’s needs. □ Take Additional Steps to Harden AppLocker As with any security measure, there are ways of bypassing AppLocker. Learn how to create rules to mitigate that risk.
APPLY LEAST PRIVILEGES & ACCESS CONTROLS □ Exercise Least Privilege As best practice, users should be given the bare minimum of access and privileges necessary, limiting the damage they can do if compromised. Microsoft’s Just Enough Administration can help. □ When Possible, Use Highest UAC Enforcement Level That includes setting UAC to “always notify,” which will trigger prompts whenever a program attempts to make changes to Windows settings or the machine (yes, this can be annoying). □ Enable Admin Approval Mode It enforces UAC for the built-in Administrator, which can help thwart privilege escalation and lateral movement attempts. □ Remove Users from the Local Administrators Group This can also help prevent privilege escalation attempts. □ Disable Credential Caching Don’t allow storage of credentials for network authentication. Anytime credentials are stored it presents attackers with an opportunity to grab them. The Fileless Attack Checklist
APPLY LEAST PRIVILEGES & ACCESS CONTROLS (CONTINUED) □ Avoid Credential Overlap Across systems This can help prevent lateral movement opportunities if valid credentials are obtained. □ Avoid Staying Logged In On Remote Systems Otherwise you open yourself up to attackers hijacking your admin access and privileges. □ Disable Anonymous Login for Read and Write Access to Network File Shares (NFS) Open shares provide a pivot point or means to further further spread an attack to other users on the network. □ Disable Anonymous Login for Read and Write Access to File Transfer Protocol (FTP): For the same reasons stated above for NFS. □ Use Strong Passwords Should go without saying, but obviously still a major common problem. □ Utilize 2FA When Possible Requiring two factor authentication can help keep attackers out even if they’ve successfully stolen passwords. □ Apply Account Lockout Policies and/or Progressive Delays for Logins This can help thwart brute force attempts.
MONITOR FOR... □ Changes In The Registry Hiding scripts in the registry is one of the most common ways attackers gain persistence. Using WMI subscription events and/or tools like Sysinternals Autoruns can help. □ Suspicious WMI Activity Again, creating defensive WMI subscription events (examples here and here) can help. □ Scheduled Task Creation Scheduled tasks can be used to achieve persistence and escalate privileges. Track creation with PowerShell scripts. □ Suspicious Processes and API Calls Monitoring for specific calls in the PowerShell operational log can provide strong indication of attacks. Using tools like Sysinternals Process Explorer and Get-InjectedThreads can also help. □ Processes Being Spawned with the CREATE_SUSPENDED flag This is a good indication of process hollowing.
Don’t just check the boxes. The Barkly Endpoint Protection Platform™ blocks fileless attacks, exploits, and file-based malware by analyzing behaviors and attributes in the set-up phase of an attack - before damage is done.
Find out more at barkly.com. REPLACE YOUR AV WITH STRONGER, SMARTER PROTECTION
About Barkly®
The Barkly Endpoint Protection Platform™ is advancing endpoint security by combining the strongest, smartest protection with the simplest management. Barkly is independently certified for antivirus replacement, HIPAA, PCI DSS & NIST by Coalfire and AV-TEST. Barkly is formed by an elite team of security and SaaS experts from IBM, Cisco and Intel, and is backed by investors NEA and Sigma Prime. Learn more by visiting us at barkly.com or follow us on Twitter @BarklyProtects.