Are fileless attack techniques really stealthy?
Remaining with Poweliks and Kovter as an example, there are various threat-hunting use-cases which can be used to detect such malware. A particular sample seen by Countercept exhibited the following high-level behavior:
1) The malware adds an entry in the following Windows registry path for persistence. It uses non-ASCII characters for the key’s name in an attempt to hide the key from most tools, including Regedit, which are unable to read them.
3) The malicious DLL is injected into dllhost.exe process
By analyzing the individual process, their parent/child relationships, their arguments as well as their in-memory behavior, several threat-hunting use-cases can be generated.
- RunDLL process launching Powershell process
- Powershell process launching DLLHost process
- RunDLL process referencing the Registry
- Powershell with Invoke Expression arguments
- Powershell with Environment Variable arguments
- DLLHost with evidence of a reflectively loaded DLL in-memory
Any one of these use-cases, together with further analysis techniques such as least frequency analysis as a form of anomaly detection, has the potential to reduce your process data sets to acceptable human analysis levels. This is evidence that the increasingly popular fileless techniques are not actually that stealthy. In addition, the fact that this technique seems to rely on injecting into another process increases its chances of detection using memory analysis. In fact, we consider these techniques to often be easier to detect than hide-in-plain-sight approaches.
The data sets can be reduced even further using a combination of use-cases – or all of them if suitable. The more use-cases that are combined, the higher the accuracy for detection of the specific infection or variant. However, the art of threat hunting arguably lies in the ability to combine use-cases gathered from constant research and generation of hypotheses, and feeding them back into your threat-hunting model. This allows for detection of much more generic attack techniques as opposed to specific malware traits, allowing you to uncover compromises regardless of if they have been seen before or not.