Understanding Fileless (or Non-Malware) Attacks and How to Stop Them

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHO NEEDS MALWARE?

UNDERSTANDING FILELESS ATTACKS AND HOW TO STOP THEM

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

1 What are fileless attacks

2 How does a fileless attack work

3 Real world examples

4 Why traditional approaches don’t work

5 The CrowdStrike approach

POOL QUESTION

HOW WOULD YOU RATE YOUR KNOWLEDGE OF FILELESS ATTACKS 1 TO 5 (1 = NONE. 5 = EXPERT)

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHAT IS A FILELESS ATTACK

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

An attack that does not require a malicious executable file

to be written to disk

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

THE REALITY OF FILELESS ATTACKS

Fileless techniques are not new

More prevalent than Ransomware 24% vs. 21%

78% of organizations are concerned about fileless attacks

Only 51% of breaches include malware - Source Verizon BDR 2017

Not all attacks are 100% fileless

80% of attacks use some fileless techniques - Source CrowdStrike Incident Response

FILELESS ATTACK TECHNIQUES

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

FILELESS

TECHINQUES

FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM

§ Spear phishing for credentials

§ Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell)

§ Registry persistence

§ Webshells

2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

1.Attackeridentifiesorganizationwithvulnerable

webapplication

2.RemoteattackerusesSQLinjectionorother

vulnerabilitytodroppayload

3. Vulnerable webserver is

compromised and becomes

backdoor

WEBSHELL ATTACKS

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

FILELESS

TECHINQUES

FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM

§ Spear phishing for credentials

§ Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell)

§ Registry persistence

§ Webshells

§ Powershell-based credential dumpers

GOAL

TOOL S

T E C H N I Q U E

HOW A FILELESS ATTACK TAKES PLACE

I N I T I A L C O M P R O M I S E

1

Remote access to a system using a

web browser. Can be web scripting

languageE.g. China Chopper

GAIN ACCESS

WebShell

C O M M A N D A N D C O N T R O L

2

Run system commands to

find out where we are

RECON

Sysinfo, Whoami

P R I V I L E G EE S C A L AT I O N

3

Run a PowerShell script such as

Mimikatz to dump credentials

DUMP CREDENTIALS

PowerShell

P E R S I S T E N C E

4

Modifies Registry to create a backdoor

E.g. On screen keyboard or sticky keys

MAINTAIN PERSISTENCE

Registry

E X F I LT R AT I O N

5

Uses system tools to gather data and

China Chopper Webshell to

exfiltrate data

EXFILTRATE DATA

VSSAdmin, Copy, NET use,

Webshell

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

REAL WORLD EXAMPLES

§ Fileless Malwre: Kovter

§ Fileless Attack: Nation State

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

KOVTER

§ Click-fraud

§ Fileless after initial infection

§ Hides encrypted malicious modules in the registry

§ Hides other malicious modules in PowerShell scripts

§ Uses shortcut file (.lnk) to download PowerShell scripts. The script launches PowerShell to start a shellcode

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

NATION STATE ATTACK

§ Weaponization: Spoofed website

§ Delivery: Spear phishing

§ PowerShell modules connect to a remote server

§ Install/run MimiKatz

§ Lateral movement through stolen credentials

MOVING LATERALLY WITHOUT MALWARE

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Attacker sets the bait with a fake

website

Extract credentials from initial victim

Move laterally to other hosts

HOW TO PROTECT AGAINST FILELESS ATTACKS

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

HOW WOULD YOU RATE YOUR CURRENT LEVEL OF PROTECTION AGAINST FILELESS ATTACKS (1 = POOR – 5 = EXCELLENT)

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

EDUCATE

83%Rate traditional AV based signature efficacy good or excellent

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHY TRADITIONAL APPROACHES DON’T WORK

No file to analyze No artifacts left behind Blind if prevention fails

Uses legitimate applications No file to detonate Hands on keyboard

PROTECTS AGAINST ALL TYPES OF ATTACKSProtect against Known/Unknown Malware/Malware Free

Protect Against Zero-Day Attacks

Endpoint Detection and Response

Managed Threat Hunting

BENEFITS

FALCON ENDPOINT PROTECTION

MachineLearning

IOABehavioral

Blocking

Block Known Bad

ExploitMitigation

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

PROCESSINJECTSATHREADINTOSYSTEMPROCESS

INJECTEDTHREADREADSCREDENTIALSFROMTHESYSTEMPROCESSMEMORY

DUMPEDCREDENTIALSAREUSEDTOLOGININTOEXCHANGESERVER

MAILBOXESAREEXPORTEDOUTOFEXCHANGE

INDICATORS OF ATTACK

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

PROCESSCONDUCTSRECONNAISSANCE

PROCESSELEVATESPRIVILEGES

WEBSERVEREXECUTESAPROCESS

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

KEY TAKEAWAYS

THE THREAT IS REAL TRADITIONAL AV IS NOT ENOUGH CURRENT DEFENSES

DO NOT WORK

NEED TO THINK BEYOND MALWARE AND FOCUS ON

STOPPING THE BREACH

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Questions?Please submit all questions in the Q&A chat

right below the presentation slides

Contact Us

Additional Information

JoinWeeklyDemos

crowdstrike.com/productdemos

FeaturedAsset:HowAdversariesUseFileless AttacksTo

EvadeYourSecurity

Link in Resource List

Website: crowdstrike.comEmail: info@crowdstrike.comNumber: 1.888.512.8902 (US)