Manage episode 265225952 series 2681668
Recorded June 2020
TOPIC: Fileless Malware, we think NOT
OUR GUESTS WILL BE:
Tyler Hudak - Practice Lead, Incident Response - TrustedSec
Martin Brough - Cybersecurity Expert for Acronis
Website - infosec512.com
SANS DFIR Summit - Running Processes, the Red Team and Bad Actors are using them
Article in eForensics Magazine on ARTHIR covered in Episode 011
Visit the website and register to get the free edition
BSides Cleveland - Tyler’s Forensic Analysis
Friday June 19th - Tactical WIndows Forensics
Will be held and/or released at another event soon
Preparing for an Incident - NCC Group webinar.. Free to all
NCC Group has a position, remote, Incident Response engineer, with AWS, GCP, Azure experience. You get to work with ME.
Cylance blocks LOG-MD-Premium Running Process check
Ticket opened, users must exclude LOG-MD from being checked
Windows malware opens RDP ports on PCs for future remote access
Exploit code for wormable flaw on unpatched Windows devices published online
(SMBGhost) - Processing of a malformed compressed message - Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago
The US Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible
ENABLE THE WINDOWS FIREWALL !!!! BLock SMB to workstations, and you will get better logging too ;-)
Microsoft warns of vulnerabilities in SMBv3 (Eternal Darkness)
Microsoft warns of vulnerabilities in SMBv3
Netwalker Fileless Ransomware Injected via Reflective Loading
80% of hacking-related breaches leverage compromised credentials
THE IR Crew
The IR crew
Guest 1 - Tyler
KAPE, or rawcopy, or other tools to capture MFT before processing
Guest 2 - Martin
MALWARE OF THE MONTH:
Dridex fileless malware:
Key Detection points
Well… in memory only “fileless”
Rundll32 calling malicious DLL
Parent Child relationship
Rundll32.exe calling SysWow64\Rundll32.exe
Scan email attachments
Block Macro execution
Block uncategorized websites
Application Whitelist Users directory
Lock down PowerShell
TOPIC OF THE DAY:
Fileless Malware, we don’t think so
What is “Fileless Malware”?
Cyberreason - Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuse tools built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.
Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products.
McAfee - Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.
CarbonBlack - Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.
WikiPedia - Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.
It does not write any part of its activity to the computer's hard drive meaning that it's very resistant to existing Anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.
As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.
So what do WE think Fileless Malware is?
The IR crew
A better way to define Fileless Malware and WHY
.NETware compile on the fly (compileware)
How does this change our evaluation of malware?
How does this change our IR or THreat Hunting process?
How does this change how we detect and alert on malware?
Cybereason - FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS
McAfee - What Is Fileless Malware?