• Pentester for many, many years.
• Current position: Cybersecurity
Audit Manager at PROSEGUR
• I prefer the offensive side of
Who are you?
• Malicious code that doesn't need to create or drop
regular files on the system.
• Move away from the traditional monolithic malware
or pentesting framework.
• For persistence we usually need to leave at least
something on the system but we can hide it and make
it very small.
What is FileLess Malware?
• We have 2 main ways to achieve an infection without
• Not using malware (or code) at all. E.G. planting a
configuration only backdoor on a system. That way we
don’t control the system all the time but we can access it
• Using code that never touches disk. In his clear form. For
persistence we always need a way to keep at least the first
stage of the code on the system.
FileLess or MalwareLess?
• Evading Antivirus detection: No file, No scan, No
• Leaving a smaller forensic trail: Less artifacts.
• Difficult environments (hard to upload things).
• Helps in bypassing Application Whitelisting (SRP,
Why FileLess in pentesting?
• Long-term persistence.
• Kernel-level access.
• High level hiding.
• Quickness and simplicity: Only userland, No rootkits,
No NSA like implants.
Pentest vs APT
DEMO: RDP + Sethc
• Enable remote desktop
• Hijack sethc.exe
• Change RDP port
• Open windows firewall
• Keeping all in memory. (Problem: no persistence)
• Storing the code in non-file or non-regular storage
• Outside the filesystem: UEFI, HDD Firmware, Hidden disk
areas, $EA, etc. (We are not going that far, remember; only
• Network / External systems.
• Alternate Data Streams (ADS).
How to keep code without files?
DEMO: Code in filenames
• Stage 1: Run key
• Stage 2: Environment
• Stage 3: Dir names
• Remote injection in memory -> Remote call or exploit.
• Load of remote binaries (EXEs, DLLs) -> Via SMB,
• Scripting languages -> Loaded remotely or from the
• PowerShell (Powershell.exe)
• .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe).
How to execute code without files?
• Tools already installed on the system (no new files).
• Tools that allow receiving external input (via
command line or via the network).
• Bonus: Tools signed by Microsoft.
Our FileLess pentest framework
• Worm that infected thousands of computers and
impacted general Internet traffic in some areas.
• The worm exploited a buffer overflow vulnerability in
Microsoft SQL Server resolution service (1434/UDP).
• Only 376 bytes and fitted into a single UDP packet.
• Infection via Word macro (No FileLess).
• Persistence via Autostart registry key
• Minimal first stage: Uses clever rundll32 trick to run
• Next stages also stored in the registry (encoded). Runs
• PowerShell injects a DLL in another process memory,
without touching disk.
• Infection via Word macro.
• Dropper and UAC bypass binaries touch disk (not fully
• Then it register the permanent and necessary WMI
classes: event definition, event filter and event
consumer active script.
• PowerShell based RAT.
• It tries to be as FileLess as possible.
• Mostly working from memory only.
• Various options for persistent storage: Registry, ADS,
Eventlog and of course WMI subscriptions.
• Unknown infection vector.
• Only a few selected hosts were used for on-disk
• These hosts injected the malware remotely into other
• For this task the malware gained domain
administrator privileges and then it deployed MSI
packages (via a new service or a scheduled task).
Duqu 2.0 (2015)
• First stage: Minimal. Usually a small vbs or js (not
• Second Stage: Main script based on PowerShell. More
complex and powerful logic that injects a binary into
• Third stage: Binary. Usually a PE DLL payload. More
similar to traditional malware, but never touches disk.
Common FileLess behavior
• An ideal FileLess pentest operation should cover the following
1. FileLess Infection.
2. Installation of FileLess Backdoors.
3. Gain FileLess Persistence.
• Infection without sending any files.
• Not common. Even known FileLess APT operations
use some kind of files in this stage.
• Preferably, we need to deliver the exploit before the
• Inside a stream.
• At the lower network layers (e.g. SMB or SSL exploits).
• Open network services (e.g. Eternalblue).
• Configuration only backdoors (no code).
• Some popular:
• Create user + Remote exec (Psexec/Sc, WMI, SchTasks,
• Binary Image Hijack + Remote Desktop.
• Silver/Golden tickets.
• Proxy + Decrease security.
• First stage: Registry Autostart entries.
• Run entries.
• Scheduled tasks.
• Image hijacks.
• Services (not very elegant).
• Usually too noisy! For a human analyst but harder to
detect with automated tools because we are not
using any files.
• A lot of ideas taken from:
• Casey Smith: https://twitter.com/subtee
• Didier Stevens: https://twitter.com/DidierStevens
• Alex Abramov: https://twitter.com/codereversing
• Rob Fuller: https://twitter.com/mubix
• Cneelis: https://twitter.com/Cneelis
• Matt Nelson: https://twitter.com/enigma0x3
• Matt Graeber: https://twitter.com/mattifestation
• James Foreshaw - https://twitter.com/tiraniddo