Chapter 5 - Malware Exploitation Flashcards
What is an Exploit Technique?
is a specific method by which malware code infects a targeted host.
Now, there is lots of different ways that this can be done. In the old days, we used to have malware that would go and rewrite or modify the code within an executable or a macro file on a target disk. That way, whenever that file was run, the virus was loaded, it could execute its payload and go out and do bad things.
Most modern malware uses ______ techniques to avoid detection by signature based security software
fileless
***By being fileless, this means that the malware is executed directly as a script or a small piece of shellcode that creates a process in the system memory w/o having to use the local file system
How does an APT use modern malware to operate? (The Basic 5 Steps of an Attack)
▪ Dropper or downloader= The first step is the malware has to get on your computer, & it’s going to do that in a fileless manner. & the way they’re going to do this is by running lightweight shellcode on your system. By doing this, this becomes what we call a dropper or a stage one dropper. & it’s then going go out & download the rest of the code. & so that dropper is just a very small file & can run very easily from memory.
▪ Maintain access= At that point, the APT then tries to maintain access. The malware is now on the system, & it’s going to install that second stage downloader. That downloader can download something like a remote access Trojan. & this will give the adversary C2 over that victim machine.
▪ Strengthen access=After that, they’re going to start strengthening their access. & to do that, they’re going to use that remote access tool they have from the maintaining access phase, & they’re going to start looking around & identifying and infecting other systems. As they’re doing this, they’re trying to find systems of higher values, like servers or domain controllers. But even if not, they want to compromise other workstations too & do this lateral movement so they can gain additional privileges & an additional footprint. So, if you find them on one machine, hopefully you can find them on the other machine & they get to stay there.
▪ Actions on objectives= Now, with actions on objectives, the attacker now has enough permissions & they’ve identified enough things that are of interest that they can start doing what they want to do, which is usually going to be copying or stealing files, encrypting files or doing something else, w.e their motive was.
▪ Concealment=The attacker, at this point, is going to maintain their tool access, but they might just go ahead and start hiding themselves. & they’re going to start covering their tracks by deleting log files and things like that. They want to make sure they’re eradicating any sign that they were there & that they infected your system. Bc this way, they can stay there longer if they need to, & they can always go back in later on if they need to get something else from the machine.
What is a Dropper?
is a specialized type of malware designed to install or run other types of malware embedded in a payload on an infected host. Usually, this will be a stage one dropper, it’s that code you first got. & once you get that code and run it, it’s then going to go out and get some other code, & it uses a downloader do that.
**Now, a downloader is a piece of code that connects to the Internet to retrieve additional tools after the initial infection happens by a dropper.
What is a Downloader?
A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper
What is a Shellcode?
Is any lightweight code that’s designed to run an exploit on a target. This can include any type of code format, it can be scripting languages, all the way down to a compiled binary.
For this exam, they want you to use the definition of the more generic shellcode that I just provided, which is any lightweight code designed to run an exploit on a target. It doesn’t have to give you a command prompt, it just has to be something that’s going to give you some kind of an exploit that’s going to be run.
What is a Code Injection?
Exploit technique that runs malicious code with the identification number of a legitimate process
So, when I go to install this code, u’re going to notice that every process has a unique ID number with it. & so, if I have something that is allowed to run like the Explorer for Windows, & I decide to run malware & make you think I’m running it as the Explorer for Windows, I can hide that malware by injecting the code into that. That’s the idea of code injection.
Now, there’s a lot of other techniques we can do as far as different types of code injection.
▪ Masquerading= where your dropper is going to replace a genuine executable with a malicious one.
▪ DLL injection= where the dropper starts forcing a process to load as part of the DLL. So, it’s going to load the DLL in the executable malicious code.
▪ DLL sideloading= This is where the dropper is going to exploit a vulnerability in a legitimate program’s manifest to load a malicious DLL at runtime, & essentially you sideload by making it load this malicious thing.
▪ Process hollowing= this is when a dropper starts a process in a suspended state, & then rewrites the memory locations containing the process code with the malware code.
What is Living Off the Land?
o Exploit techniques that use standard system tools and packages to perform intrusions
o Detection of an adversary is more difficult when they are executing malware code within standard tools and processes
**Bc when they live off the land, it’s really hard for us to find them. When I talk about living off the land, this is an exploit technique that uses standard system tools and packages to perform their intrusions. For instance, they might use something like this, which is PowerShell. PowerShell can be used to do all sorts of malicious activities.
So, if you fall victim to an attacker who is used to living off the land, the detection of that adversary is going to be much more difficult bc they’re executing malware code within those standard tools and processes. & that makes it really hard to detect, & it’s going to allow them to stay on your system a lot longer.
Droppers are likely to implement _______ techniques to prevent detection & analysis
anti-forensics
***When we talk about anti-forensic techniques, this is things like encrypting their payloads, or compressing their payloads, or obfuscating their payloads. Now, when they do this, it makes our job as reverse engineers a lot harder, but we still find ways to find these people. & so, one of the things that a lot of pentesters & a lot of attackers are starting to do now is a concept called “living off the land”.
What are Personal Firewalls? What are they also referred to as?
These are software-based applications that protect just a single computer or server from unwanted Internet traffic.
Referred to as Host-based Firewalls= These firewalls work by applying a set of rules & policies against traffic that’s attempting to come into or go out of our protected computer. For example, if there’s a computer that’s a web server, then it should be accepting incoming traffic on port 80 and port 443. But if it’s a desktop computer, there’s likely no need for these ports to be left open. Instead, the firewall should reject any inbound attempts to access these ports.
What are the firewalls for different operating systems? (Mac OSX, Windows, or Linux)
Windows= Windows Firewall
OSX= have PF & IPFW Firewall
Linux= iptables (IP Tables)
Many anti-malware suites also contain ______?
personal software-based firewall (need to be updated)
What is a network-based firewall?
are security devices used to stop or mitigate unauthorized access to private networks connected to the Internet, especially intranets.
