Fileless malware: What tools can jeopardize your system?

A new report from CrowdStrike Inc. shows a rise in the amount of malware-less attacks that leveraged native software and command-line tools within an organization. What are some of the command-line tools that pose risks, and what can enterprises do to make sure they're not abused?

Attackers are always finding new and creative ways around our defenses. A new report from CrowdStrike showed that 66% of the attacks they investigated were either fileless malware or malware free -- meaning that attackers are leveraging admin system functions in Windows-based operating systems or malware that's running directly from memory.

Using memory-based or admin functions to delay detection is called living off the land, as the attackers are using legitimate tools to accomplish their goals. This is a game-changer in malware, and it is turning the antivirus industry somewhat on its head.

Some of the most commonly exploited services on Windows machines are Windows Management Instrumentation (WMI) and PowerShell. Attackers don't need to install software on the systems they're attacking because these services use built-in Windows tools to attack their targets. This means that any solution still relying on signatures won't detect these attacks -- making next-generation tools rely on script control, which can be difficult.

PowerShell has been the weaponized Windows service of choice for attackers using malware-less attacks against adversaries for quite some time. It's also integrated into the Windows operating system, which makes it difficult to remove. If PowerShell is used during these attacks to run code remotely, access the system or attack systems laterally, it can be difficult to detect.

PowerShell has been the weaponized Windows service of choice for attackers using malware-less attacks against adversaries for quite some time.

Because this service is part of the OS, the commands and scripts are trusted by the operating system -- so the attackers fully control the system. PowerShell can also be used to launch malware attacks that are able to propagate through the network because the commands can attack other systems in the domain.

Another popular way that fileless malware is used is through WMI. With this exploit, attackers pretty much control the system, and they can make changes to remote systems, install software, make configuration changes and adjust files. It's an admin tool, a good one at that, and when used by admins, it can greatly assist with managing the enterprise. However, when WMI is used by attackers, it can greatly assist with compromising your network. There are ways to disable WMI, but that could limit many things in your network.

A few years back, we said deception in the network was a key way to identify attackers when they were in your organization because they didn't know what was real. This cloaking of systems can alert us of attackers proactively.

Attackers have taken a similar approach with fileless malware, and they now disguise their attacks as legitimate traffic using fileless, memory-driven exploits working with tools allowed by admins. Patching your systems against vulnerabilities, running behavioral technology to determine when something is out of the ordinary and limiting vulnerabilities in your network are ways to limit the risk of malware-less attacks.

We need a fully layered approach to detect these threats; prevention is always welcome, but in today's day and age, we're looking to detect and contain threats in our network, so creating a layered approach is the best method to defend against fileless malware.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)