Introduction to Fileless Malware

so first of all thank you very much this is a great opportunity for me and very happy and very honored to be down here sharing about filed this malware i'm going to talk about what is false malware how an attack is performed using this type of technique and of course i'm gonna provide some a general recommendation that hopefully would be very useful for you to protect against this type of a threat so as i'm as you mentioned my name is juan raja i'm a have a bachelor degree in computer science i have also a master in cyber security thank god i hold several cyber security related certifications including you know the certified advanced security practitioner

and some cloud certifications and feel feel free of course to add me as a contact on linkedin i'll be more than glad to interact and to clarify doubts after this session of course if you have any addition no question so the agenda is going to be extremely simple the agenda i'll provide a quick introduction about what is fileless malware how and of course what is malware then what is follow smart will how an attack is performed what is a risk what is the impact so those type of information i'll share during the introduction then we'll focus on what is living off the land what is lolping's you know well basically we're gonna use existing and legitimate tools

against our victim that's the idea of living off the land so with the load beams we're going to use existing as i said libraries and we're going to use existing executable files scripts we will use good tools such as power shells such as stole my to cause damage finally i'll provide some general recommendations about how to detect and what to do to protect your company against far less malware attacks so let's go to the basics because before we go to file this malware so as you know what is malware malware is malicious it stands for malicious software there are several type of malicious software such as virus where normally you know the traditional a virus will require some sort of human

interaction where someone will download something someone will execute a file someone will install an application and that executable file will perform some malicious actions such as delete files such as steal information or even download other type of malware the armor virus the one that that comes in the second you know picture we're talking about a virus that has the capability of encryption and or use obfuscation techniques to make very hard you know the reverse engineering process then the trojan will be toolset or application that you could download that looks legitimate or some of them you will download it because you want to avoid paying you know for the license in other words a piracy so people will

download this type of application it will work as the way it is supposed to work however it also will be executing some other actions that will impact the confidentiality of the data maybe the integrity of the data or even more even the availability of the data the bots will be you know malicious software designed to take control of your computer and that way your computer will be computer or iot device of or mobile device will be receiving uh requests or commands and will be executing those commands such as okay all these computers are infected let's try to access a website so sooner or later that web server the resources of that web server will be consumed

and that will cause a developed service attack the one will be a type of malware that will copy automatically it will automatically scan for computers that has a specific vulnerability and will automatically copy so there's no require of human interaction this spyware will be you know tools that are designed to spy whatever you type for example a keylogger then adword will be a malicious software designed to simulate clicks and that way the attacker will receive money in a in a legal way and runs you know ransomware is a terrible type of malware designed to take control of your computer you know host you know encrypt all your files and if and only if in theory you pay then in theory you you

will be able to continue using your files of course it's not a good idea to pay it's better to be proactive and it's better to have very good backups and you know threat intelligence and proactively block those type of attack vectors how malware is normally distributed is distributed using email social engineering techniques you know by sending emails it looks legitimate that invite people to click on a hyperlink or to download an application for example um usb keys that has a malware using an autorun you know feature that as soon as you connect the usb key it will execute you know the malicious commands and nowadays because everybody use a mobile devices and we use uh

several social media tools such as i don't know telegram or whatsapp which are good tools however attackers are using it to send by bookload suggest that use techniques such as tiny urls to encode and to send malicious hyperlinks so as i said there are many techniques in order to start this within the malware one of them is to use it is to use for example a typo squadron attack where they register urls that looks legitimate you know very similar to the official website so people could a fail on that attack or emails that looks legitimate that contains even the logos of the company the color coding you know of the of the company and of course as i said you know the

famous usb drop key you know where you are basically using a rubber ducky usb key and people sooner or later will connect it to their personal device or to the com company computer now let's talk about fileless malware because this is another type of a malware attack down here the idea is to try to use good tools existing tools the idea is to avoid having to install an application without installing any malware we're going to use existing tools and legitimate tools to perform malicious attacks so for example what type of existing tools will be useful to perform a fileless malware attack we are talking about exploiting good tools from wmi to the windows management instrumentation

tool from power shield or even just a common shell you know because all these tools has many useful libraries many useful already functions that enable you to perform reconnaissance to obtain information about the target computer to try to do pivoting to obtain information about older computers and that way you will be able to perform a lateral movement and attack other other equipments and of course it will give you more information even about what applications are installed what services are running so again as you might know on during a normal you know kilo chain one of the first action items is to do a good reconnaissance that that way you will be able to discover boone abilities that could be exploited

so again the idea is to um perform this reconnaissance and then execute malicious commands using good tools so powershell is a good tool it's a very useful tool that enables us to perform you know a auto automate task a configure automatically several several devices for example to interact with active directory to interact with exchange you can obtain information about all your computers easily using powershell and there are many very useful uh you know common leds available on powershell to do good things just as an example down here i'm using just powershell just to perform a very simple backup you know with the copy item command you can do a very simple backup so as you can see powershell is good and it's

already installed on most of the windows computers and servers another very useful tool is known as windows management association or wmi the lmi has something interesting wmi is a client server you know approach system where basically you can request for information or you can send instructions using uh dolimei in you know the wmi query language now these dollar mixes and the way it works is similar when you program using a object oriented programming so for wmi every single thing on the on the network and even on the devices and the components of the devices at the end are objects so we're talking about objects that has attributes and objects that has methods or actions that you can execute so for example it

will be there will be a class for hard drive so when you reference the class of hardware you will be able to obtain attributes such as you know the size of the hard drive the type of hard drive and then you will be able to perform actions or methods so there will be multiple type of actions that you can perform against a a hardware a hard drive and as i said because this is a client server approach you will be able to send commands and you will be able to request information and the system will receive the instruction execute instructions and reply with the response or with the result of the execution of the action

now you can combine these good tools you know for your for your good for example you can execute lmi commands using powershell as you can see down here there are several several of them already available several commonlets so if you execute get dash command you know dash now wmi you will be able to obtain information about the existing common leds that enable you to run wmi with powershell now there's another system in this case we're talking about the common information model or cmi you can again use cmi on powershell to obtain even more data about your device and perform some specific actions as you can see down here on this screenshot you can also perform different type of

queries using different methods so for example look at here i'm trying to obtain information about you know logical disks that are on this computer just by running get wmi object you know win32 logical disk so with this command i was able to know you know the the id of the hard drive i know the size how many in space is still free and the name of the volume you can also perform some advanced e queries you know similar to a sql command you know select whatever you need from the element that you want to obtain information and again you will be able to obtain basically the same data with two different um techniques now powershell is good don't don't don't get

me wrong you know i'm not saying the powershell powershell is is something that is bad you want to use however because it's so powerful attackers are using powershell to execute malicious actions directly on memory so what type of malicious actions they are trying to perform some reconnaissance of course as i mentioned figure printing obtain as much information about the operating system about the applications that are running obtain information about the services that are running uh try to get information about the user what type of privilege that user it has tried to perform you know escalation privilege and and many others they of course they will light on love to perform some create some sort of backdoor so they can come back

whenever they want there are several techniques for persistence and i'll show you shortly a couple of them such as adding some of those commands that you need maybe on the windows registry maybe you can use the schedule a task scheduler so it will be executed you know whenever you want so as you can see down here again we are we can use a partial for figure printing in this case i'm using a dolan with window 32 and i'm obtaining information about this computer you know the computer that i'm that i'm analyzing so again this is for the fingerprint perspective you can use another command and power shield such as system info to obtain even more

details you can know you know what operating system is it is running what type of processor it is using you can even know what hotfix are installed so when if you know what hotfix are installed you can also know which hotfix are not it's installed so which vulnerabilities you could try to exploit during this a process with wmi there's you don't have there are also other ways to execute wmi commands such as you know w mic or mic in this case i'm typing wwmic os get to obtain information about the operating system now know that it's running as an example windows 10 enterprise evaluation 64-bit version so again this is for fingerprinting purposes before we

start the actual attack we can know what products are installed so we obtain information about the operating system so now we can obtain information about products that are running on this specific computer so we know as an example that is running microsoft health in update health tools we can obtain some path where some data is is some applications ourselves we can obtain information about versions of products so again for fingerprinting purposes is extremely useful and if you want to know what process are running on that computer you can easily you do it you know by typing dolly mic processor list brief and obtain information about the the process id you can of course try maybe try to kill one of this process

and you know play around with it so now the attackers know that powershell is extremely useful but powershell is not the only tool or wmi that can be used to make attacks the other way to make attacks using legitimate tools is by following the approach of living off the land you know also known as lol so again the idea here is a same as a aikido you know this martial art where you're trying to use the strength of your enemy to cause damage so now we're using the strength you know of existing tools legitimate tools for maintenance for monitoring for automation for network monitoring or network management to cause damage what type of tools i'm talking about so there are many look

at here these are some a quick sample of executables that are that are part of the operating system like ps exact like w mic in cbc ms build you know many others that are a part of the operating system and of course some dlls dlls that are legitimate like the windows 32 dll that's a very useful um dll that is part of the operating system so down here the idea is to try to use them against the victim without the need of downloading additional malware um so that yeah so that's that's idea down here you know try to use legitimate tools to make them as you can see down here in this screenshot at the on the right

i'm using a good tool in this case cert util this air util is normally used for management of certificates so i'm using search utils to hide a a source code that i want to steal inside a file named vpn.crt so that's that's a way that you can use you know existing tools tool succumbs to cause some damage so now let's try to understand a little bit more how a fileless malware attack is performed so it is it is a perform in different phases the first phase is using social engineering techniques to be able to have a some sort of shell you know a web shell a reverse shell you know from the target computer so you can do it using a phishing as an

example you use you can use smishing you know by sending text messages uh you can use existing tools such as the browser exploitation framework as an example so you can try to hook the browser of the victim and that way once the victim access that website you will be able to interact use a metaexploit or other tools to send malicious commands but the idea again is just to have access to a shell once you have access to to a shell then let's try to use existing scripts existing libraries exists and binaries to cause damage so as i said in the first section is use social engineering techniques to take control of a shell or to have

access to a shell on the target computer you can create a copy of an existing website you can clone it you can use a type of squadron and maybe send a sms or send an email with the hyperlink you can attach a file that will execute a malicious command and at the end will create a reverse a shield that will make the computer the victim to connect to the computer of the attacker okay so that's that's the deal down here on the social engineering section now you might think okay so i'm able to access this computer i'm able to have uh shell access but how i can be have persistence there are many ways one of them of the most common way is to

try to hide some of those malicious commands inside entries on your windows registry so that way the information is going to be there available and of course you can use you know like task schedulers like chrome in in linux or um schedule you know c schtask.exe to schedule uh recurrent tasks so now let's try to simulate an attack so for example let's say that i said that i was able to send an sms or i send an email addre an email someone click on that email that email a ask the person to accept a website on the website with browser expectation framework i was able to send them a payload they execute the payload and now

boom i have access to a shell so once i have access to the shell is where the body will start so in this example i'm going to simulate an attack where i'm going to try to steal information using files malware approach so how i'm going to steal information i'm going to try to look for data that is relevant you know data that i could sell on the deep web data that could cause damage to the company um data that maybe the company will be willing to pay you know in order to try to recover so i'm trying to look for information that has pii you know personal edit file information maybe some excel files that contain

information about their customers about new products um pdf backups you know logs whatever it is useful for the company that could be useful for the attacker to earn money so just on this example i may be down here on the documents a folder there are a couple of files in this case a customer.tax file and a server.txt file imagine that this could contain maybe a list of existing customers with their email address with their phone number with their full name with their position on on the servers maybe down here this file could contain data about you know ip address the operating system adapt server maybe the name of that server the function or service that that web server or server

is offering so you can it could be useful for many purposes so the first step will be okay let's try to steal the data so the first step will be to have a copy of the data see the create a zip file with the copy of those two files that i'm trying to steal you know remember the customer and the server txt files inside and zip file in this case gold.zip okay so that's it i'm just creating a zip file with information that i want to steal again as you can see down here i'm using powershell commands and i'm using compressed.archive i'm not installing anything else to be able to perform this action item then once i have a copy of the data i

want to delete the original files how do i delete the original files using digital tools i'm using powershell i'm using the remove item command this remove item is kind of kind of interesting because when you execute this command it will not only delete the file it but also will delete the file from the um recycle bin so there's it will not be so easy to to recover that file using this technique now we were able to save the file delete the original files and now we want to encrypt the file how can we encrypt the file without downloading a ransomware so this is a very easy way to do it we are going to use an existing service

that is designed to encrypt files it's part of windows and in this case i'm talking about the crypt svc service so the first the first thing that you have to do is to check if that service is running how you can check it down here you can make a wmi query select everything from these windows 32 service list and you want to know if it is running and if this specific service is running i execute this command and you can see it's running and it's active perfect so let's use it so how can we use it we are going to use another existing command that is part of windows you can even test it if you want it's

already installed on most of the windows versions if you type cipher in this case the gold.c file that i just created is not encrypted so that's why it has a u so in order to make it even a little bit more complex i could even create my own keys and my own certificate if i want as you can see by using the same command cipher and then create my own keys it will create a server file and it will create a p f x file that will contain as i said the key and the certificate now once the file has been encrypted the goal i'm sorry once the once the keys has been encrypted the goal will be

to encrypt the file using the same command cipher we can encrypt the file how we can encrypt it by using cipher slash e stands for encrypt and the name of the file that we want to encrypt so i type cipher slash e gold.zip and now i if i run again this cipher command i'll be able to see that now it says e gold.zip because that now it confirms that the file with the zip file has been encrypted now with these ciphers sometimes there are some portions of the file that could be easily recovered that are in plain text in order to make the recovery process a lot harder if you don't have a backup then there's another command that you

can run to remove any remaining sections of the file that is still in plain text in this case you're gonna execute this this command okay it takes a little bit it takes a couple of minutes but at the end it will delete all those remaining of the original file that are still in plain text now i was able to encrypt the file i was able to save the file delete the original files and now what i need to find a way to have a copy of that zip file right so in order to try to hide the c file i'm going to use a steganography how can i use a steganography i'm going to use i'm going to create a picture

because i don't want to download anything if i start downloading files most likely some hey you know alert school got trigger so in order to avoid alerts to go trigger i could use an existing tool in this case fs util file create new i'm going to specify the name of the file in this case it's going to be um a bmp file yeah you specify the size that i want of the cover file why this is important because the cover file needs to be big enough in order to be able so we can include and we can hide inside of it whatever we want so it has to be bigger than what we want to hide

so that's why in this case i'm selecting 58 in in this case you know 58 kilobytes the reader file is just 1k but i want to make it big enough to not trigger too many alerts okay so this is just a picture that has been created automatically and now i'm going to use a steganography to hide that dc file inside the picture so i'm using the copy command that is already on part of windows i'm going to use copy slash b because i want to modify the cover file in binary mode and hide the gold.zip inside this picture and it's going to create a second picture that will contain the zip file that is hidden using some

sort of a steganography algorithm it could be most likely a lsp you know the list this significant bit but at the end on this picture is where dc file is going to be in height and of course i'm going to use the same commander that i used a few minutes ago i'm going to use the remove item to remove or to delete in a permanent way the c file that i create and also remove in a permanent way the curve the temporal cover file that i create now this is this is where it gets really interesting you know again i i was able to encrypt the file now how can i obtain a copy of the file

using existing tools so i could use windows defender for that it looks kind of similar or kind of kind of interesting right that the tool that is that is designed to defend could be used also to attack but this is not something like a failure from windows offender it could it could be done by a using other type of tools and even order so security solutions so this is just an example i'm not saying that windows defender is not a good tool i'm just saying that this is something that could be exploited so i'm using a legitimate tool from windows offender conflict securitypolicy.exe i'm specifying which file i want to receive and where i want to send it so that way

the attacker was able to obtain the information then after this the data has been obtained now the attacker needs to delete his tracks a way to delete tracks will be by maybe going to the event viewer and deleting a specific tracks or if specific records from the event viewer but if you don't have time you need to delete it all in one shot you can easily do it using powershell by running this command you know get even locked lock name delete everything you see it's a recursive um action so in just less than one minute yeah less than one just a couple of seconds the the event viewer will be um deleted every single record

so as you can see before i run this command it had like seven almost 8 000 events and after i run this command there was only one that that is left and which is that one that reflects that the audio logs has been clear and then well this is just i am and just the beginning you know you can continue playing around you can leave a ransom message like this one you know you can ask for money or what whatever is the objective of this is malware attack now how can you protect against this type of attack vector so it is really interesting and it's not not that easy it's a multi-layer solution that you have to

implement in order to detect in order to mitigate um in order to be able to recover also from those type of attack factors so the first one would be a making sure that everybody knows um and has a good cyber security awareness training you know continually that is continually evaluated why because you as you saw one of the first stages is to use social engineering techniques to ask someone to click on a hyperlink to download something so we need to make sure that our our employees knows how to detect those type of attack vectors they they need to know what is fishing what is a vision what is a sms fishing and many other type of attack vectors

we need to also evaluate to make sure that people are aware of that and our our system are secure and of course evaluate continually by coordinating penetration testing vulnerability scanning continually to detect those type of vulnerabilities and if possible when you request a penetration testing also try to suggest or to request that part of the technique used on this the penetration testing includes social engineering um testing to make sure that people are aware and verified people fail on those type of you know lies another recommendation definitely make sure that you have a good antivirus that you have an edr you know a solution that would enable us to detect for example in not only patterns but also behavior

behavioral analytics to detect if as an example that there are some commands that are being executed after hours the commands that are normally not executed on those computers and suddenly they are being executed you know those behavior analytics it should be implemented so you you get notified in a tiny manner and perform a specific actions make sure that you monitor all your different communication systems including your email your um chat systems and keep an eye on your social media tools that you allow your co-workers to access you know because a social engineering could also be performed you know through facebook or through any sort of social social media tool when i'm talking about edr there are

many adrs that are very useful and they are now designed to detect a load beams usage of loadings here we can see an example uh on this edr you know the powershell execution has been monitored and it is triggering alerts based on some possible malicious activity that is being feared make sure that you only allow what is the what is really really required you know minimalism you know like the least privilege so make sure you apply good separation of duties that you have a only allowed a specific ports to be open specific commands to be executed um and as i said i'm not saying don't dis go down under don't go down there and disable powershell everywhere if you

need powershell use it but just keep an eye on the usage of tools such as powershell if possible try to also monitor those accounts that has a lot of privilege like using a privileged account management system to keep an eye on the usage of those type of tools that could for example a create a new service or to disable a service or many other type of malicious attacks if you want to use powershell it's good but make sure that you lock that you monitor so how you can do it there are many ways one of the ways is to enable the powershell command execution on the group policy editor and that way if you integrate those logs

with a sim for example if there are many open source themes and also commercial sims then you will be able to create your own use cases and keep an eye on this on the usage of lol bins and existing you know automation tools also as you saw one of the actions that are performed during this process is not only using social engineering but also trying to analyze possible vulnerabilities and exploit them so make sure that your device says all your devices computers network devices mobile devices iots video cameras whatever you have has the latest patch implemented you know the hot fixes i apply in italian miner that you make sure that you're using the latest version of the application

and that you have also a good software inventory that you have control on what applications are installed who is using them and why they are still using it if those if any of those softwares are no longer required make sure to delete those applications from your computers and finally of course there's no one single tool that will so that will protect you 100 percent against this type of attack vectors so make sure to implement a security in-depth approach as many layers as you can it will make the life more miserable to the attackers and it will be for them a lot harder to recover their investment because at the end they have to invest time they have to

invest money to try to perform an attack right so if we add many layers for them they're gonna see okay this company has too many layers there they they have different type of security products they know what they do so let's try to attack someone else so let's try to use another vector you know what less a sub attack this is i'm i'm losing money because attackers at the end you know it's a cyber criminal organization they need also to recover their investment so make sure that you have a good network security endpoint security application security that you develop applications thinking on security from day one operating operating system security that you have data leakage operation system

to keep an eye on outgoing traffic or outgoing information and again make sure that the that humans are not the weakest link on your chain you know make sure that they have the proper training the proper knowledge and that you evaluate that knowledge continually all right that's it i don't know if you have any questions so far i won uh thanks very much for the talk it was really interesting and for anybody watching the talk you can use the live discussion tab on the bottom right of your screen to ask any questions and while we're waiting for any questions to come through we have a few minutes so um you actually touched on everything i

suppose start to finish from you know education and training to um implement the security control to detection all of that so it was actually very interesting talk so thanks for that um the things i suppose that captured my my attention was again the putting the attention and the focus on social engineering and training the human uh as i had been mentioned in a few talks a day and actually in our keynote speech this morning and unfortunately companies that just don't want to spend the money it's it's so difficult to get out of this idea of you know just read the policy and say i've read it then you know we're fine because this is what an author

might ask and and i'm sure you see it all the time as a pentester it's often the cause of just doing the bare minimum what can we do that's gonna you know make us gonna fly through the audit and forget about everything else i don't agree with you i totally totally agree with you unfortunately people think you know many companies think you know i'm i i i have a small and medium company you know smb you know so who's gonna attack me you know normally attackers will try to find try to attack big banks or they will try to attack big companies that's not true they are attacking those that has that the worst type of security you know that

the word those that doesn't have the proper detection system those that doesn't have the proper awareness so they don't care you know they do that they send it to um you know in batch and sooner or later someone is going to be the victim at the end there are only three type of companies you know those that has been hacked those that are being attacked right now and those that are going to be attacked very soon yeah you're not right um you also touched on um just i suppose the the basic hygiene so do your monitoring list privilege and all that and um now you you are heavily involved in cloud so i bet you see it a lot of the time where

maybe engineering teams haven't really i suppose updated their skills with regards to cloud native environments likes of azure ws so is it is it common that you see companies maybe that um say like a hybrid company so they have some on-prem infrastructure and they have say infrastructure on the cloud say aws where everything appears to be fine on the hybrid on the on the on-prem side of hybrid but then the security controls aren't implemented correctly for the likes of say lambda because the developers have an updated skill so you know execution role potentially makes everything blow up and everybody can do anything on any resource is that something that you see i see a lot of a lot of a lot of things

so i i do agree that there are many companies that they start using new technologies because is the boom is is what are what what's everybody's doing but maybe they're not ready for that they need to make sure that they have the proper training that they update their knowledge um remember at the end what is in the cloud the cloud is someone else's data center so you are offloading some security things to the provider but most of the security responsibility is still on the customer remember the shared responsibility matrix so companies that wants to take advantage of the cloud because cloud has many advantages believe me many advantages and cloud technology is the future for sure

uh at least in the next five years remember the technology change so fast but at least right now i can say that cloud is the future so a company needs to make sure that they take advantage of that technology in a wise manner you know in a proper manner not just doing it because everybody's doing it make sure that you do it because you're ready make sure that you do it because you have the proper training you have the proper certifications and that you understand the technology um that you know what should be on a public cloud what should be in a private cloud how you're going to be monitoring at the end and the fact that it's on the

cloud again it means that it's in someone else's data center so you have to keep an eye on your assets digital assets absolutely and there's good feedback here and on the chat people are really enjoying your talk and there's no questions that are coming true so i'll just mention um one of the attendees was just trying to make a note and just to say to everybody this um you know if you're happy to share the slides and we'll share them with the attendees so the people watch this talk and but there's somebody just taking notes obviously as you were talking and they're saying um just to make sure they covered everything from the tools they got

crowdstrike exo beam and splunk did they miss anything any other tools that you had on your slide uh well from the tools perspective uh well there are many you know to be honest i shouldn't um there are so many options available that is not fair just to mention you know brands it's more like technologies you know no matter if you're using a commercial sim or a open source a sim because both can be very powerful the important thing is that you use the proper tools and they are properly configured that you know how to use them that you know how to take advantage of them so just make sure that you that you get familiar with this type of technologies

as i said crosstrek is is great you know but their older also other type of edrs available at the market so it's a it's a there are so many options that it will not be fair just to mention just a few products yeah what whatever works for everybody every organization is different and we still have a few minutes and actually a question came through and is there much difference in capabilities between lol bins on linux machines compared to windows the the risk is exactly the same the risk is exactly the same because at the end those are operating systems that are that has many tools for maintenance for a scheduling automatic task you know as i mentioned

you can do a chrome on linux and you can schedule tasks using the task scheduler on windows so the attack surface is basically very similar of course the command will be different but at the end if you think a little bit about it there are so many servers or so many servers especially servers running linux around the world so many desktops and laptops and why not servers of course running windows so both are very good examples but remember that this could be performed in other type of operating systems you know like mobile devices they have their own operating system operating system that are also able to process requests so this this is just the peak of the eyes work of so many things

that you can do uh using a lullabies australian thank you for that sure um there's no other questions coming true there is a comment um from somebody just feedback on your talk and somebody here says that the importance of having tech specs and hardened hardened specs has come true in your talk as well and that's another area companies don't really pay enough attention and it's something that leads to to these compromises that you are showing totally totally agree with you definitely thank you for sharing that comment definitely um okay so and we have two minutes left but there is no other questions coming through so um i guess and we can give people two minutes back juan thank

you so much for joining us that was a very interesting talk you're very welcome i hope you enjoyed the rest of your day and for the people watching uh oh actually there's a last minute question one don't go all right so the question is to be in a position to run these tools the attacker needs some level of privileges on the box what is the most common method you see of getting this so so first thing and this is a very common question that people ask me when i share when i talk about this this specific topic you don't need administrator rights on the victim computer as you saw all those attacks that i simulate were performed on a computer

a when where the user is just a normal a standard user you know a user that doesn't have a admin rights as an example so that is the first the first thing that you don't need like to perform a escalation privilege to be able to to execute fileless malware the second one how normally you will be able to obtain shell access well a social engineer is the best option you know you can use beef the browser expectation firmware you can send payloads you can use metaexploit to design your own payloads of course most if you you you create your payload to create your reverse engineer reverse shell many of the current antivirals are able to detect you know those type of

payloads so the best and more effective way is to create your own payloads you know because there is no signature available at that moment so most likely they will not be detected if you create your own advanced payloads to a you know obtain the reverse in reversal ireland okay thank you for that and that actually brings us to the end of this talk thank you again han it was very interesting and lots of nice discussion going on here in the chats