Original slides
https://www.slideshare.net/OlgaPasko/hunting-fileless-malware-149129867
Workshop by Olha Pasko at NoNameCon 2019.
https://nonamecon.org
Fileless malware and system tools as bypass techniques in cyber-attack. Hunting with SysInternals tools and Digital Forensics techniques.
1. Fileless malware and system tools as bypass technique: an explanation of “bypass technique” and “fileless malware”. Creating custom fileless malware by abusing Powershell.
2. Threat hunting with Sysinternals tools: an explanation of system processes, threads, jobs, resources. Anomaly detection of system processes with Sysinternals tools. Fileless malware detection.
3. Threat hunting with Digital Forensics techniques: an explanation of “digital forensics”. Acquisition and analysis of RAM memory dump with Digital Forensics tools.
4. Summary or “what can participant obtain from this workshop”: knowledge about top bypass techniques, hard skills for detection and hunting malicious code, understand differences of hunting with SysInternals and Digital Forensics tools.
5. Fileless Malware
● Fileless malware is a new type of malicious code which infects a host
computer’s dynamic memory (RAM).
● As usual, fileless malware is combined with abusing such system tools as
powershell, wmi, windows sdk, etc.
13. Boot Chain. Anomaly Detection
● System
Anomalies in process’s behavior:
● System doesn’t have a parent (origin process run in kernel-mode)
● PID for System isn’t equal 4
● if there are several copies of System
14. Boot Chain. Anomaly Detection
● SMSS
Anomalies in process’s behavior:
● parent process isn’t System
● process directory isn’t %system%system32
● procexp64.exe/procexp.exe shows parent process for winlogon,
wininit or csrss
15. Boot Chain. Anomaly Detection
● CSRSS
Anomalies in process’s behavior:
● process is running as non SYSTEM user
● process directory isn’t %system%system32
Normal process’s behavior:
● one separate instance for each session
● first instance for System: Session0
● second instance for user: Session1
16. Boot Chain. Anomaly Detection
● Wininit
Anomalies in process’s behavior:
● process is running as non SYSTEM user
● process directory isn’t %system%system32
● SMSS isn’t a parent for wininit
Normal process’s behavior:
● process is running from NT AUTHORITYSYSTEM
● process directory is %system%system32
● creates Winsta0 and 2 desktops (Winlogon and
Default) for Session0
● creates Services.exe, Lsass.exe, Lsm.exe
● SMSS is a parent process
● creates %windir%temp
● process started under Session0
17. Boot Chain. Anomaly Detection
● Winlogon
Anomalies in process’s behavior:
● fields such as Shell and Userinit are different than on image upper
● process directory isn’t %system%system32
● procexp64.exe/procexp.exe shows parent process for winlogon
● process isn’t running from NT AUTHORITYSystem
18. Boot Chain. Anomaly Detection
● Explorer
Anomalies in process’s behavior:
● process has TCP/IP connections
● process directory isn’t Windows
19. Boot Chain. Anomaly Detection
● Services
Anomalies in process’s behavior:
● process is running as non SYSTEM user
● process directory isn’t %system%system32
● parent process isn’t Wininit.exe
20. Boot Chain. Anomaly Detection
● Svchost
Anomalies in process’s behavior:
● process is running as non SYSTEM user, Local Service or Network Service
● process directory isn’t %system%system32
● parent process isn’t services.exe
● process doesn’t use tag -k [name]
21. Boot Chain. Anomaly Detection
● LSASS
Anomalies in process behavior:
● process is running as non SYSTEM user
● process directory isn’t %systemroot%system32
● parent process isn’t wininit.exe
● processes with similar but a bit different name: lasss, lssaa, lsas
Normal process behavior:
● process is running as NT AuthoritySYSTEM user
● directory is %systemroot%system32lsass.exe
● parent process is wininit.exe
● only one processes with name lsass.exe
● lsass.exe doesn’t has a child process
● lsass.exe is started under Session0
22. Boot Chain. Anomaly Detection
● LSM
Normal process behavior:
● process is running as NT AuthoritySYSTEM user
● directory is %systemroot%system32
● parent process is wininit.exe
● lsm is a terminal state manager on local host
● lsm.exe doesn’t has a child process
● lsm.exe is started under Session0
Anomalies in process behavior:
● process is running as non SYSTEM user
● process directory isn’t %systemroot%system32
● parent process isn’t wininit.exe
● lsm has a child process
24. Threat Hunting. SysInternals
1 2
● obtain Boot Chain
[ tools as SysInternals or
Digital Forensics RAM dump
analysis techniques ]
● check Boot Chain for
anomaly in process’s
behavioral
● get suspicious processes
● gather more detailed information
about suspicious processes
○ start directory
○ command line
○ parent process
○ start from what user name
○ network activities
○ procexp/procexp64
○ listdlls/listdlls64
○ pipelist/pipelist64
○ strings/strings64
○ netstat -anb / TCPview
25. 3
Threat Hunting. SysInternals
● check gathered suspicious markers
for malicious activities
[ you can use public sandboxes
which present detailed dynamic
analysis, for example: reverse.it ]
● obtain Indicator of Compromised and
malware behavioral