Fileless malware infections are possible without dropping files by storing malicious code in non-file locations or executing it remotely from memory. A fileless pentest operation should aim to infect systems without files, install fileless backdoors, and achieve fileless persistence using small artifacts hidden in the registry, alternate data streams, environment variables or other unconventional locations. Real world examples of fileless malware include worms that spread entirely in memory as well as advanced persistent threats that used techniques like Windows Management Instrumentation events and process hollowing to avoid writing to disk.

1. FileLess Malware
Infections
Malware tricks for Pentesters
Ramon Pinuaga
Bsides Lisbon 2017

2. 2
1) Presentation
2) Real world examples
3) Process
• Infection
• Persistence
4) Conclusions
Index

3. PRESENTATION

4. 4
• Pentester for many, many years.
• Current position: Cybersecurity
Audit Manager at PROSEGUR
Spain.
• I prefer the offensive side of
security.
Who are you?

5. 5
• Malicious code that doesn't need to create or drop
regular files on the system.
• Move away from the traditional monolithic malware
or pentesting framework.
• For persistence we usually need to leave at least
something on the system but we can hide it and make
it very small.
What is FileLess Malware?

7. 7
• We have 2 main ways to achieve an infection without
files:
• Not using malware (or code) at all. E.G. planting a
configuration only backdoor on a system. That way we
don’t control the system all the time but we can access it
later.
• Using code that never touches disk. In his clear form. For
persistence we always need a way to keep at least the first
stage of the code on the system.
FileLess or MalwareLess?

8. 8
• Evading Antivirus detection: No file, No scan, No
VirusTotal upload. 
• Leaving a smaller forensic trail: Less artifacts.
• Difficult environments (hard to upload things).
• Helps in bypassing Application Whitelisting (SRP,
Applocker, etc.)
Why FileLess in pentesting?

10. 10
• Long-term persistence.
• Kernel-level access.
• High level hiding.
• Quickness and simplicity: Only userland, No rootkits,
No NSA like implants.
Pentest vs APT

11. DEMO: RDP + Sethc
• Enable remote desktop
• Hijack sethc.exe
• Change RDP port
• Open windows firewall

13. 13
• Keeping all in memory. (Problem: no persistence)
• Storing the code in non-file or non-regular storage
(classics):
• Outside the filesystem: UEFI, HDD Firmware, Hidden disk
areas, $EA, etc. (We are not going that far, remember; only
userland)
• Network / External systems.
• Alternate Data Streams (ADS).
• Registry.
How to keep code without files?

14. 14
• WMI (subscriptions).
• Windows events (.evt).
• Inside Documents (.doc, .xls, .pdf).
• File/Directory names (0-day).
• Environment variables (more 0-day).
Novel non-regular storage

15. DEMO: Code in filenames
• Stage 1: Run key
• Stage 2: Environment
• Stage 3: Dir names

17. 17
• Remote injection in memory -> Remote call or exploit.
• Load of remote binaries (EXEs, DLLs) -> Via SMB,
WebDAV, etc.
• Scripting languages -> Loaded remotely or from the
command line.
• PowerShell (Powershell.exe)
• Javascript/Vbscript (Cscript.exe, Wscript.exe, Mshta.exe,
Rundll32.exe, Regsvr32.exe).
• .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe).
How to execute code without files?

18. 18
• Tools already installed on the system (no new files).
• Tools that allow receiving external input (via
command line or via the network).
• Bonus: Tools signed by Microsoft.
Our FileLess pentest framework

19. REAL WORLD EXAMPLES

20. 20
• Worms (memory only):
• Slammer.
• Poweliks.
• WMIGhost.
• Empire.
• Duqu 2.0 (Kaspersky).
Real world examples

21. 21
• Worm that infected thousands of computers and
impacted general Internet traffic in some areas.
• The worm exploited a buffer overflow vulnerability in
Microsoft SQL Server resolution service (1434/UDP).
• Only 376 bytes and fitted into a single UDP packet.
Slammer (2003)

22. 22
• Infection via Word macro (No FileLess).
• Persistence via Autostart registry key
(HKLMSoftwareMicrosoftWindowsCurrentVersion
Run).
• Minimal first stage: Uses clever rundll32 trick to run
Javascript code.
• Next stages also stored in the registry (encoded). Runs
PowerShell code.
• PowerShell injects a DLL in another process memory,
without touching disk.
Poweliks (2014)

23. 23
Poweliks – Rundll32 trick

24. 24
• Infection via Word macro.
• Dropper and UAC bypass binaries touch disk (not fully
FileLess).
• Then it register the permanent and necessary WMI
classes: event definition, event filter and event
consumer.
• It uses Javascript for payload code in the event
consumer active script.
WMIghost (2014)

25. 25
• PowerShell based RAT.
• It tries to be as FileLess as possible.
• Mostly working from memory only.
• Various options for persistent storage: Registry, ADS,
Eventlog and of course WMI subscriptions.
Empire (2015)

26. 26
• Unknown infection vector.
• Only a few selected hosts were used for on-disk
persistence.
• These hosts injected the malware remotely into other
systems memory.
• For this task the malware gained domain
administrator privileges and then it deployed MSI
packages (via a new service or a scheduled task).
Duqu 2.0 (2015)

28. 28
• First stage: Minimal. Usually a small vbs or js (not
directly PowerShell).
• Second Stage: Main script based on PowerShell. More
complex and powerful logic that injects a binary into
another process.
• Third stage: Binary. Usually a PE DLL payload. More
similar to traditional malware, but never touches disk.
Common FileLess behavior

29. PROCESS

30. 30
• An ideal FileLess pentest operation should cover the following
phases:
1. FileLess Infection.
2. Installation of FileLess Backdoors.
3. Gain FileLess Persistence.
Operation Process

31. 31
• Infection without sending any files.
• Not common. Even known FileLess APT operations
use some kind of files in this stage.
• Preferably, we need to deliver the exploit before the
application layer.
• Inside a stream.
• At the lower network layers (e.g. SMB or SSL exploits).
• Open network services (e.g. Eternalblue).
FileLess Infection

32. 32
• Configuration only backdoors (no code).
• Some popular:
• Create user + Remote exec (Psexec/Sc, WMI, SchTasks,
WinRM, PSRemoting).
• Binary Image Hijack + Remote Desktop.
• Silver/Golden tickets.
• Proxy + Decrease security.
FileLess Backdoors

34. 34
• First stage: Registry Autostart entries.
• Run entries.
• Scheduled tasks.
• Image hijacks.
• WMI.
• Services (not very elegant).
• Usually too noisy! For a human analyst but harder to
detect with automated tools because we are not
using any files.
FileLess persistence

35. CONCLUSIONS

36. 36
• Full pentest operations are possible without using any
files (or almost).
• We need some “resident” artifacts on the system, but
these can be very small and can be easily hidden.
Conclusions

37. 37
• Questions? Comments?
• https://twitter.com/rpinuaga
Thanks

38. 38
• A lot of ideas taken from:
• Casey Smith: https://twitter.com/subtee
• Didier Stevens: https://twitter.com/DidierStevens
• Alex Abramov: https://twitter.com/codereversing
• Rob Fuller: https://twitter.com/mubix
• Cneelis: https://twitter.com/Cneelis
• Matt Nelson: https://twitter.com/enigma0x3
• Matt Graeber: https://twitter.com/mattifestation
• James Foreshaw - https://twitter.com/tiraniddo
Previous research

39. www.prosegur.com

40. DEMO: Proxy + Authenticode
• Convince the user to execute a .REG file
• Configure Proxy
• Disable Authenticode validation
• Wait for EXE download