deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-27 20:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updated fileless-threats.md formatting

Browse Source
This commit is contained in:
Eric Avena 2018-09-13 22:56:59 +00:00
parent fbab595f8f
commit 668d45b89b
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
windows/security/threat-protection/intelligence/fileless-threats.md
View File

@ -11,9 +11,9 @@ author: eavena
ms.date: 09/12/2018
---
Fileless threats
#Fileless threats
The term "fileless" would suggest that it refers to a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, theres no generally accepted definition. The terms is used broadly; its also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on a script that needs to be dropped on the targets machine and executed. This, too, is considered a fileless attack.
The term "fileless" would suggest that it refers to a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, theres no generally accepted definition. The terms is used broadly; its also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on a script that needs to be dropped on the targets machine and executed. This, too, is considered a fileless attack.
To shed light on this loaded term, we can break down fileless threats into different categories. This categorization maps to Windows Defender ATP protections.
@ -29,16 +29,17 @@ This helps us divide and categorize the various kinds of fileless threats. Clear
From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
Type I: No file activity performed
##Type I: No file activity performed
A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually dont have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, its not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually dont have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, its not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
Type II: Indirect file activity
There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type dont directly write files on the file system, but they can end up using files indirectly. This is the case for Poshspy backdoor. Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
Its possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes its considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type dont directly write files on the file system, but they can end up using files indirectly. This is the case for Poshspy backdoor. Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
Its possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes its considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
Type III: Files required to operate
Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
Figure 10. Kovters registry key
Figure 10. Kovters registry key
When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
Categorizing fileless threats by infection host
@ -48,13 +49,13 @@ File-based (Type III: executable, Flash, Java, documents): An initial file may e
Network-based (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
Hardware
Device-based (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the Equation espionage group has been caught doing.
CPU-based (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the Management Engine (ME) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's Active Management Technology (AMT) to perform invisible network communications bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been researched and proved possible in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can effectively provide a backdoor through which regular applications can gain privileged execution.
CPU-based (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the Management Engine (ME) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's Active Management Technology (AMT) to perform invisible network communications bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been researched and proved possible in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can effectively provide a backdoor through which regular applications can gain privileged execution.
USB-based (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the BadUSB technique, demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will.
BIOS-based (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. Its a very important component that operates at a very low level and executes before the boot sector. Its possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the Mebromi rootkit.
BIOS-based (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. Its a very important component that operates at a very low level and executes before the boot sector. Its possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the Mebromi rootkit.
Hypervisor-based (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits have been observed, although very few are known to date.
Execution and injection
File-based (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
Macro-based (Type III: Office documents): The VBA language is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in the case of qkG. Macros are executed within the context of an Office process (e.g., Winword.exe), and theyre implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
Script-based (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: theyre textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside autorun registry keys as WMI event subscriptions from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
Disk-based (Type II: Boot Record): The Boot Record is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like Petya are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but its accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
Macro-based (Type III: Office documents): The VBA language is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in the case of qkG. Macros are executed within the context of an Office process (e.g., Winword.exe), and theyre implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
Script-based (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: theyre textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside autorun registry keys as WMI event subscriptions from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
Disk-based (Type II: Boot Record): The Boot Record is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like Petya are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but its accessible by the operating system, and modern antivirus products have the capability to scan and restore it.