Many of the conveniences brought via modern tools, operating systems, and applications also bring means for an adversary to execute actions while under the guise of a valid service. This is seen distinctly in the increased use of Fileless Malware.
Fileless Malware can be broadly defined as execution of malicious instructions in memory with no requirement for these instructions to be backed by a file on disk. One way to understand this is through the following example:
utilizes the legitimate Windows utility rundll32.exe,
loads the DLL mshtml.dll, calls “RunHTMLApplication” entrypoint,
ultimately creates a popup containing the word foo.
A Blue Team defender can use Process Monitor to witness all of the above simply searching for rundll32.
But what makes the previous command an example of fileless execution?
If the attacker’s goal is to get an endpoint to preset a popup with the word “foo” in it in the traditional malware model the attacker would have to create an executable, trick the user into downloading and running it, noting that there is now a specific file left as an artifact that can be quarantined and dissected by an endpoint protection software.
Alternatively, in the Fileless Malware model, the attacker will not mint a single binary to be placed and run on an endpoint. Instead they simply need to use any means available to get instructions executed. For example, an attacker could make a specifically crafted website that uses weaknesses in a browser to download malicious instructions into the browser’s executable memory and run the instructions, thereby firing commands on an endpoint without a single file artifact being downloaded to disk.
Fileless Malware commonly uses the Windows tools Powershell and WMI to execute commands or download and run arbitrary code. The issue is that both of these utilities are frequently used and provide systems administrators and network defenders extremely powerful capabilities and automation, and likely cannot be shutdown without sufficient care or consideration. This is also true for features in widely deployed applications such as macros in Microsoft Office applications.
SCYTHE supports emulation of Fileless Malware. SCYTHE provides multiple types of clients: one type is designed specifically to be copied into executable memory and run aka fileless. Red Teams can use their own orchestration to load these SCYTHE clients as an example.
For convenience, we include:
reflective loading instructions for this type of client are provided
direct download links to save into memory, mark the memory executable, and start the client on the host.
So what can Defenders do?
The following are a few actions a defender can take to help mitigate some Fileless Malware threats:
One of the key components of a Fileless attack is the ability for an attacker to leverage known vulnerabilities in already-installed applications, allowing them to execute commands as that application’s user. Patching software and operating systems helps close these doors to attackers.
2. Disable commonly attacked conveniences
Disabling macros or other runtime execution frameworks can help reduce the attack surface of your endpoints. If we recall back to the not-so-far-away days of browser connections to Flash, Java, or ActiveX, it is easy to remember how much these “convenience” programs were vulnerable. Generally, the issue stems from powerful applications being able to run programs from unknown sources on the internet. Although browsers and other web-runtimes are a common vector, attackers also depend on the exploitation of widely deployed applications which are used to open files from the internet, namely MS Office and PDF readers. When these tools have the ability to run powerful tools via automation, adversaries can leverage the simple spoofing of an email to have their code be run on a remote endpoint.
3. Monitor for behavior, not just known signatures
Standard endpoint protection software products focus on known files, hashes, and signatures found by the threat intelligence community. Although this protection is valuable, it leaves out a critical component of testing for defenses and defenders: whether defenders actually notice malicious, non-signitured behaviors. Defenders should be able to test the efficacy of their systems by leveraging tools which give them the ability to mint adversarial campaigns using the same techniques used by actual adversaries.
Netgear R7000 SOHO Device Exploitation After a long day of hard research, it’s fun to relax, kick back, and do something easy. While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind. Thus, when it’s time for some quick fun and a nice confidence boost, I like to analyze Small Office/Home Office (SOHO) devices. This blog describes one such session of auditing the Netgear R7000 router, analyzing the resulting vulnerability, and the exploit development process that followed. The write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. Initial Analysis The first step when analyzing a SOHO device is to obtain the firmware. Thankfully, Netgear’s support website hosts all of the firmwares for the R7000. The Netgear R7000 version 220.127.116.11 firmware used in this blog post can be downloaded from this website. …
I. Introduction“Nobody Can Hack an AS/400.” “Never in my 40 years in the business has anyone hacked an AS/400!” “AS/400’s don’t have hacking problems like Windows computers.” “AS/400’s are bullet-proof. They don’t have zero-days like other computers.”
If you know anyone who works with an IBM i (formerly known as "AS/400", also branded as "eServer iSeries"), you may have heard some of these statements, typically spoken with the emphasis of someone who wants it to be true; someone willing to speak loudly enough to overcome their sense of dread: that they may be wrong. … and you may be surprised at just who is using IBM i in 2020. We (Security Researchers Matthew Carpenter and Roni Michaels) decided to dig into these beasts of old to answer a few question: Is the IBM i "old" and inherently vulnerable?Or Is it a hardened ecosystem whose design and age shield it from hackers?Are it's notable uptime percentages an indicator of a safe environment?If …
The GRIMM Intern program began three years ago. Interns work on billable client and research projects. Additionally, past Interns worked on the development of GRIMM’s “Howdy Neighbor”, a portable Capture the Flag competition built entirely around hacking Home Automation devices. Howdy Neighbor is one of GRIMM’s go-to, hands-on demonstrations at conferences across the country. Several of the interns involved have since been hired by GRIMM and its spin-off software company, SCYTHE.
Intern life at GRIMM Program Summary
Developing the next generation of cybersecurity talent is a priority at GRIMM. Our interns receive interactive mentorship, on thought-provoking work, designed to ready them for careers in cybersecurity. Our internship program seeks passionate students, from high school to Ph.D. level, to work on the front lines of innovation, gaining meaningful real-world experience.
Interns will benefit from: Mentorship (guidance, helping them learn, but also expecting them…