One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1035285 |
| Date de publication | 2019-02-21 14:00:00 (vue: 2019-02-21 16:00:44) |
| Titre | Fileless Malware Detection: A Crash Course |
| Texte |
Given you’re here, you’re likely new to this topic, so please be aware in that fileless malware, fileless malware attack, and fileless attack are different words for the same thing. With that clear, let’s jump in!
What is Fileless Malware and How Does It Work?
There are many definitions of a fileless malware attack. I like the description from the Poneman Institute:
"A fileless attack is really an attack technique - what we're talking about is a technique - that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network."
What's most confusing about these attacks is that they might not be 100% file-free. Typically, different technique types are termed “fileless”, but that doesn't mean the malware or an entire attack campaign won’t include executables at some stage. For example, a traditional phishing attack could have components of a fileless attack in it. Instead of opening the file, clicking on a link and it downloading something to your hard drive, malware may just run in your computer’s memory. It’s a phishing attack, but one piece is fileless. That scenario is more common than a completely fileless malware attack where everything is running in memory. More commonly, we're going to see traditional attacks: phishing campaigns, spoofs, Man in the Middles (MiTM), where something in the attack vector includes malicious code that runs in memory.
The other point is that you might hear “fileless attacks” referred to as non-malware attacks, memory-based attacks, in-memory attacks, zero footprint attacks, and macro attacks. These are all different flavors of attack techniques. The whole premise behind the attack is that it is designed to evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category.
Just to get a picture of some of those techniques, in the picture below on the left there are some example delivery methods we see for fileless types of attacks. As we know, phishing and social engineering remain tactics that work for attackers.
This nice diagram from Microsoft that shows a full taxonomy of fileless threats. The diagram shows the breadth of different types of techniques and different types of tools, tactics, and procedures that malicious attackers are using to launch attacks.
There has been an increase in these attacks. McAfee puts it at 432% growth year over year in Powershell malware that they've witnessed. And SentinelOne found a 94% increase in just the first half of 2018.
We're seeing these attack methods persist because they are effective. Attackers are also looking for ways to infiltrate that don't require some kind of vulnerability exploit, to evade detection.
Trusted Admin Tools Leveraged for Fileless Attacks
Living off the land is the use of trusted admin tools to conduct mali |
| Envoyé | Oui |
| Condensat | /30/598270764/alienvault > blogs com/ course crash dblitz detection: fileless malware |
| Tags | Malware |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.