Security 101: How Fileless Attacks Work and Persist in Systems
As security measures get better at identifying and blocking malware and other threats, modern adversaries are constantly crafting sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which do not require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.
The 2019 Trend Micro security roundup mentioned how common fileless threats have become. By tracking non-file-based indicators and through technologies like endpoint detection and response, we blocked more than 1.4 million fileless events in the past year. The trend was expected, given the stealth and persistence that fileless threats can grant an attacker. It was also evident, based on the numerous malware campaigns observed using fileless components and techniques in their attacks.
What is a fileless attack? How do attackers infiltrate systems without installing software?
The term “fileless” suggests that the threat or technique does not require a file, which lives in the memory of a machine. Fileless functionalities can be involved in execution, information theft, or persistence; an attack chain does not necessarily have to be truly “fileless,” as some parts may only necessitate fileless techniques in some form.
Fileless threats leave no trace after execution, making it challenging to detect and remove. Fileless techniques allow attackers to access the system, thereby enabling subsequent malicious activities. By manipulating exploits, legitimate tools, macros, and scripts, attackers can compromise systems, elevate privileges, or spread laterally across the network.
Fileless attacks are effective in evading traditional security software detection, which looks for files written to a machine’s disk to scan them and assess if they are malicious. Such threats are not as visible since they can be executed in a system’s memory, reside in the registry, or abuse commonly whitelisted tools like PowerShell, Windows Management Instrumentation (WMI), and PsExec.
Many fileless threats abuse the task automation and configuration management framework PowerShell, which is a built-in feature on many Windows operating systems. The Microsoft framework accesses application programming interfaces (APIs) that execute crucial system and application functions. Attackers find it appealing because it allows them to distribute payloads and execute malicious commands filelessly.
WMI, on the other hand, is another known Windows application that is used to carry out system tasks for endpoints, which makes it ideal for conducting attacks. Attackers abuse WMI for code execution, lateral movement, and persistence; WMI repositories can also be used to store malicious scripts that can be invoked at regular time intervals. PowerShell and WMI are typically used by enterprise networks for system administration task automation. Attackers commonly take advantage of these tools because they can be used to bypass signature-based detection systems, maintain persistence, exfiltrate data, and further other malicious motives.
While fileless attacks are by no means new, they are becoming a staple in many attackers’ arsenals. View our infographic, Fileless Threats 101: How Fileless Attack Work and Persist in Systems, to learn about the common fileless attacks in the wild, techniques to look out for, and security measures that can be adopted to prevent an adversary from breaching your security.
How can organizations defend against fileless threats?
The variety of fileless techniques allows attacks to be persistent, which in turn can affect the integrity of an organization’s business infrastructure. Despite the lack of a discrete binary or executable, fileless threats can still be thwarted by users and enterprises.
Combating fileless attacks requires a multilayered or defense-in-depth approach that does not depend on traditional, file-based countermeasures to mitigate threats. Organizations should secure systems, uninstall unused or non-critical applications, and monitor network traffic.
Employing behavior monitoring mechanisms can keep track of unusual modifications to software and applications like PowerShell and WMI. Custom sandbox and intrusion detection and prevention systems can also help deter suspicious traffic like C&C communication or data exfiltration.
The Trend Micro™ XDR solution provides cross-layer detection and response across emails, endpoints, servers, cloud workloads, and networks by using powerful AI and expert security analytics to detect, investigate, and respond to a wide range of cybersecurity threats like fileless attacks.
The Trend Micro Apex One™ protection employs a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, memory and browser attacks related to fileless threats. Apex One Endpoint Sensor provides context-aware endpoint investigation and response (EDR) that monitors events and quickly examines what processes or events are triggering malicious activity.
The Trend Micro Deep Discovery™ solution has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs. Deep Discovery can detect the remote scripts even if it is not being downloaded in the physical endpoint.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.