Fileless malware infections are possible without dropping files by storing malicious code in non-file locations or executing it remotely from memory. A fileless pentest operation should aim to infect systems without files, install fileless backdoors, and achieve fileless persistence using small artifacts hidden in the registry, alternate data streams, environment variables or other unconventional locations. Real world examples of fileless malware include worms that spread entirely in memory as well as advanced persistent threats that used techniques like Windows Management Instrumentation events and process hollowing to avoid writing to disk.
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, ...
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
How adversaries use fileless attacks to evade your security and what you can do about it
Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.
You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.
The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
Keylogger can either be software or hardware device, which is designed to surveillance on user’s activity by tracing keystrokes.
https://how-to-remove.org/malware/keylogger/
https://www.facebook.com/Hilary-Park-1636750126622779/
https://twitter.com/hilarypark97
https://plus.google.com/u/0/102986887893246664116
https://www.pinterest.com/hilarypark97/
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, ...
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
How adversaries use fileless attacks to evade your security and what you can do about it
Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.
You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.
The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
Keylogger can either be software or hardware device, which is designed to surveillance on user’s activity by tracing keystrokes.
https://how-to-remove.org/malware/keylogger/
https://www.facebook.com/Hilary-Park-1636750126622779/
https://twitter.com/hilarypark97
https://plus.google.com/u/0/102986887893246664116
https://www.pinterest.com/hilarypark97/
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Ethical hacking : Its methodologies and toolschrizjohn896
This Presentation gives you the knowledge about ethical hacking and its methodologies. This PPT also explains the type of hackers and tools used with example of hashcat which is used to break hash algorithms like MD5, SHA1, SHA256 Etc
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Ethical hacking : Its methodologies and toolschrizjohn896
This Presentation gives you the knowledge about ethical hacking and its methodologies. This PPT also explains the type of hackers and tools used with example of hashcat which is used to break hash algorithms like MD5, SHA1, SHA256 Etc
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
Project: Malware Analysis
CS 6262 Project 3
Agenda
• Part 1: Analyzing Windows Malware
• Part 2: Analyzing Android Malware
Scenario
• Analyzing Windows Malware
• You got a malware sample from the wild. Your task is to discover what
malware does by analyzing it
• How do you discover the malware’s behaviors?
• Static Analysis
• Manual Reverse Engineering
• Programming binary analysis
• Dynamic Analysis
• Network behavioral tracing
• Run-time system behavioral tracing(File/Process/Thread/Registry)
• Symbolic Execution
• Fuzzing
Scenario
• In our scenario, you are going to analyze the given malware with tools
that we provide.
• The tools help you to analyze the malware with static and dynamic
analysis.
• Objective
1. Find which server controls the malware (the command and control (C2)
server)
2. Discover how the malware communicates with the command and control
(C2) server
• URL and Payload
3. Discover what activities are done by the malware payload
• Attack Activities
Scenario
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating of malware (stage 2), and downloading payload (stage 3) are required to
be allowed (set as default option)
• The command and control server is dead. You need to reconstruct it
• Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available
commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does
• Write down your answer into assignment-questionnaire.txt
Project Structure
• A Virtual Machine for Malware analysis
• Please download and install the latest version or update your virtual box.
• https://www.virtualbox.org/wiki/Downloads
• Download the VM
• Download links
• http://ironhide.gtisc.gatech.edu/vm_2018.7z
• http://bombshell.gtisc.gatech.edu/vm_2018.7z
• Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd
• Please install 7zip or p7zip
• Windows, Linux and MacOs: http://www.7-zip.org/download.html
• Unarchive the 7z file
• Password: GTVM!
https://www.virtualbox.org/wiki/Downloads
http://ironhide.gtisc.gatech.edu/vm_2018.7z
http://bombshell.gtisc.gatech.edu/vm_2018.7z
http://www.7-zip.org/download.html
Project Structure
• Open VirtualBox
• Go to File->Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials
• Username: analysis
• Password: analysis
https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
Project Structure
• In the Virtual Machine (VM)
• Files
• init.py
• This initializes the project environment
• Type your Georgia Tech username (same login name as Canvas) after running this
• update.sh
• This script updates the VM if any further update has been made by TA
• DO NOT execute the scri.
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
4. 4
• Pentester for many, many years.
• Current position: Cybersecurity
Audit Manager at PROSEGUR
Spain.
• I prefer the offensive side of
security.
Who are you?
5. 5
• Malicious code that doesn't need to create or drop
regular files on the system.
• Move away from the traditional monolithic malware
or pentesting framework.
• For persistence we usually need to leave at least
something on the system but we can hide it and make
it very small.
What is FileLess Malware?
6.
7. 7
• We have 2 main ways to achieve an infection without
files:
• Not using malware (or code) at all. E.G. planting a
configuration only backdoor on a system. That way we
don’t control the system all the time but we can access it
later.
• Using code that never touches disk. In his clear form. For
persistence we always need a way to keep at least the first
stage of the code on the system.
FileLess or MalwareLess?
8. 8
• Evading Antivirus detection: No file, No scan, No
VirusTotal upload.
• Leaving a smaller forensic trail: Less artifacts.
• Difficult environments (hard to upload things).
• Helps in bypassing Application Whitelisting (SRP,
Applocker, etc.)
Why FileLess in pentesting?
9.
10. 10
• Long-term persistence.
• Kernel-level access.
• High level hiding.
• Quickness and simplicity: Only userland, No rootkits,
No NSA like implants.
Pentest vs APT
11. DEMO: RDP + Sethc
• Enable remote desktop
• Hijack sethc.exe
• Change RDP port
• Open windows firewall
12.
13. 13
• Keeping all in memory. (Problem: no persistence)
• Storing the code in non-file or non-regular storage
(classics):
• Outside the filesystem: UEFI, HDD Firmware, Hidden disk
areas, $EA, etc. (We are not going that far, remember; only
userland)
• Network / External systems.
• Alternate Data Streams (ADS).
• Registry.
How to keep code without files?
15. DEMO: Code in filenames
• Stage 1: Run key
• Stage 2: Environment
• Stage 3: Dir names
16.
17. 17
• Remote injection in memory -> Remote call or exploit.
• Load of remote binaries (EXEs, DLLs) -> Via SMB,
WebDAV, etc.
• Scripting languages -> Loaded remotely or from the
command line.
• PowerShell (Powershell.exe)
• Javascript/Vbscript (Cscript.exe, Wscript.exe, Mshta.exe,
Rundll32.exe, Regsvr32.exe).
• .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe).
How to execute code without files?
18. 18
• Tools already installed on the system (no new files).
• Tools that allow receiving external input (via
command line or via the network).
• Bonus: Tools signed by Microsoft.
Our FileLess pentest framework
21. 21
• Worm that infected thousands of computers and
impacted general Internet traffic in some areas.
• The worm exploited a buffer overflow vulnerability in
Microsoft SQL Server resolution service (1434/UDP).
• Only 376 bytes and fitted into a single UDP packet.
Slammer (2003)
22. 22
• Infection via Word macro (No FileLess).
• Persistence via Autostart registry key
(HKLMSoftwareMicrosoftWindowsCurrentVersion
Run).
• Minimal first stage: Uses clever rundll32 trick to run
Javascript code.
• Next stages also stored in the registry (encoded). Runs
PowerShell code.
• PowerShell injects a DLL in another process memory,
without touching disk.
Poweliks (2014)
24. 24
• Infection via Word macro.
• Dropper and UAC bypass binaries touch disk (not fully
FileLess).
• Then it register the permanent and necessary WMI
classes: event definition, event filter and event
consumer.
• It uses Javascript for payload code in the event
consumer active script.
WMIghost (2014)
25. 25
• PowerShell based RAT.
• It tries to be as FileLess as possible.
• Mostly working from memory only.
• Various options for persistent storage: Registry, ADS,
Eventlog and of course WMI subscriptions.
Empire (2015)
26. 26
• Unknown infection vector.
• Only a few selected hosts were used for on-disk
persistence.
• These hosts injected the malware remotely into other
systems memory.
• For this task the malware gained domain
administrator privileges and then it deployed MSI
packages (via a new service or a scheduled task).
Duqu 2.0 (2015)
27.
28. 28
• First stage: Minimal. Usually a small vbs or js (not
directly PowerShell).
• Second Stage: Main script based on PowerShell. More
complex and powerful logic that injects a binary into
another process.
• Third stage: Binary. Usually a PE DLL payload. More
similar to traditional malware, but never touches disk.
Common FileLess behavior
30. 30
• An ideal FileLess pentest operation should cover the following
phases:
1. FileLess Infection.
2. Installation of FileLess Backdoors.
3. Gain FileLess Persistence.
Operation Process
31. 31
• Infection without sending any files.
• Not common. Even known FileLess APT operations
use some kind of files in this stage.
• Preferably, we need to deliver the exploit before the
application layer.
• Inside a stream.
• At the lower network layers (e.g. SMB or SSL exploits).
• Open network services (e.g. Eternalblue).
FileLess Infection
32. 32
• Configuration only backdoors (no code).
• Some popular:
• Create user + Remote exec (Psexec/Sc, WMI, SchTasks,
WinRM, PSRemoting).
• Binary Image Hijack + Remote Desktop.
• Silver/Golden tickets.
• Proxy + Decrease security.
FileLess Backdoors
33.
34. 34
• First stage: Registry Autostart entries.
• Run entries.
• Scheduled tasks.
• Image hijacks.
• WMI.
• Services (not very elegant).
• Usually too noisy! For a human analyst but harder to
detect with automated tools because we are not
using any files.
FileLess persistence
36. 36
• Full pentest operations are possible without using any
files (or almost).
• We need some “resident” artifacts on the system, but
these can be very small and can be easily hidden.
Conclusions
38. 38
• A lot of ideas taken from:
• Casey Smith: https://twitter.com/subtee
• Didier Stevens: https://twitter.com/DidierStevens
• Alex Abramov: https://twitter.com/codereversing
• Rob Fuller: https://twitter.com/mubix
• Cneelis: https://twitter.com/Cneelis
• Matt Nelson: https://twitter.com/enigma0x3
• Matt Graeber: https://twitter.com/mattifestation
• James Foreshaw - https://twitter.com/tiraniddo
Previous research