Exploits: Detection is not enough

One of the most interesting and challenging parts of our 360° Protection Testing is the exploits/fileless test.

Exploits are pieces of code that interact with an existing piece of software to bring about undesired behaviour that will allow malicious software to interact on a computer. A lot of infections occur through a specific vulnerability or issue with a piece of software.

In our tests, we use actual binary exploits for memory corruption vulnerabilities, alongside little bits of scriptlets. These provide an attacker with a more reliable connect-back shell to the victim workstations and is often a hacker’s method of choice for getting a foothold in an enterprise’s IT infrastructure.

Payloads

When a fileless payload is started, a connect-back shell is instantiated to the attacker’s remote administration endpoints; making screenshots, logging keystrokes and ensuring that mapping the network around the victim’s workstation is easy.

Furthermore, once the initial infection is successful, the usual use case for in-the-wild operators is to immediately aim for persistence. A bit of new Windows service here, a tiny start-up script for a technical user there. The potential for backdooring a Windows domain is endless, see this blog for more details.

These bits of script are small and inconspicuous in their nature. Written in JavaScript, PowerShell, or any other of the million scripting possibilities in Windows and, like most scripts, they can be obfuscated to the extreme.

Tooling

As for actual tooling, many of our test cases are based on open source apps with some custom PowerShell stagers and obfuscators thrown in for good measure. Empire-PS used to be the warrior of the past, alongside Covenant and Pupy. Check out this link for a catalogue of the current market offerings. Actual test cases can be found in our 360° reports.

Detection

When performing a fileless test case, detection is especially tricky. Many AVs detect the downloaded script itself. However, this can often be evaded with a bit of encoding (no actual name-calling here to protect the innocent!).

When the script is executed, a process is loaded into memory and starts communicating with the remote server endpoint. Antivirus software has a lot of attack surfaces to survey, direct and indirect PS calls to sensitive API, etc.

To their credit, many of our test participants do their job surprisingly well. In many cases, even if the download stage has succeeded and the PowerShell invocation has taken place, in-memory detection mechanisms kick in and terminate the unfolding RAT (Remote Access Trojan) implant before a full connection can be established.

The screen flow is perfectly straightforward; the user is informed in a small pop-up that a process did something dangerous, therefore it has been killed and its origin file on the disk has been quarantined.

So far so good.

In most of these cases, our server listeners receive no connection or even if they do, the actual remote access cannot be established. The victim slowly times out after the initial connect-back stage.

However, in many cases, even if detected, the actual implant is not killed and communicates happily with the server endpoints. When making a remote screenshot, it is clearly visible that the alarm has indeed gone off, nevertheless, the actual connection is left intact.

This phenomenon is prevalent with frameworks where we immediately migrate away from the powershell.exe to another process or undertake some process injection trickery to evade termination. In our 360° methodology, should the AV issue an alert but the connection remains usable, the test case is marked with “Detected”.

Conclusion
In conclusion, providing protection against malicious fileless attacks, i.e. where the attack toolchain does not contain a binary file, is a tricky endeavour. Besides detecting threats as quickly as possible, e.g. during the download stage, a decent AV needs to make sure that after detection, it kills the actual threat and does not leave any traces of malicious processes in the memory.

To find out which AV software brands work best against exploits, check out our quarterly 360° Protection Test reports.