September 4, 2019 | By Michael Wainshtain, Technical Team Leader
What Is Fileless Attack?
Are you wondering what a Non-Malware or Fileless attack is? It is described as an attack in which an attacker uses existing applications, software, and protocols to gain access into and control your computers. Even if you don’t download any malware files, this type of attack or a threat can be executed while leveraging already installed programs on a client machine. Usually, signed\known applications such as PowerShell or Windows Management Instrumentation (WMI) can be used to deliver the malicious payloads.
Examples of Fileless attacks
The two important scenarios below describe how Fileless attack can take place:
PowerShell goes out to the internet (www.attacker.com), downloads a piece of code and executes it in memory without writing anything to the disk, and success!
You compose a malicious DLL (cobalt, Metasploit), base64 encode it, and copy it to victim machine, short c# code to reflect the Base64 DLL in memory, load it, run it, and success!
Why is it hard to detect?
- It doesn’t affect the disk in any way.
- It was loaded during the routine process of executing the scripts (that is, wscript.exe, powershell.exe, and msbuild.exe).
- It doesn’t leave any trace on the disk, and limits forensics analysis.
What can you do?
Seeing how sneaky a Fileless attack is, here are some essentials steps you can take to mitigate this type of threats:
- You can monitor for signed binaries execution and audit process creation with full command lines.
- You should monitor network traffic.
- You must turn off unnecessary application features \ uninstall unused applications.
- You should enable AMSI (Anti-malware scan interface) on supported platforms.
- You need to deploy EDR product with Behavior monitoring capabilities.
It is imperative that you take the steps highlighted above to protect your computing systems from Fileless attacks.