This document discusses fileless attacks, which use existing software and authorized protocols to carry out malicious activities without downloading files. Fileless attacks can use things like PowerShell, WMI, browsers, and Office applications to connect to command and control servers and execute malicious scripts in memory only. Some behaviors and evidence of fileless attacks include unusual child processes starting, legitimate DLLs loading from unexpected parents, and applications like Word or Excel invoking PowerShell or making network connections. The document demonstrates detecting fileless attacks using Event IDs in Windows logs related to process creation and PowerShell pipeline execution details.
6. Definition and Difference
Fileless attack
Outlook Firefox Flash </> C&C
A non-malware/fileless attack is one in which an attacker uses existing software, allowed
applications and authorized protocols to carry out malicious activities.
Eg:1
A user visits a website using Firefox, from a phishing email
On this page, vulnerable version of Flash is loaded.
Flash invokes PowerShell, and feeds it instructions through the command line — all operating in
memory.
PowerShell connects to a stealth command and control server, where it downloads a malicious
PowerShell script that finds sensitive data and sends it to the attacker
This attack never downloads any malware.
7. Definition and Difference
Fileless attack
Eg 2
Phishing Email xlsM/docM
PowerShell
script
Builds C#
Run csc to
create np.exe
Cmd _->
installutil.exe
Installs np.exe
in memory
Contact C& C
8. Possible behaviors and evidences
Weird child process starting up.
Legit .dll loads from unusual parent
Eg. System.management.automation.dll or wbmemdisp.dll, PowerShell should not be
loaded by word or excel or Jpeg.
Weird user accounts
Other powerful Windows process loads by unusual parent.
Cmd.exe
Wmic.exe
Rdp.exe
Csc.exe
Powershell.exe
Cscript.exe
Wscript.exe
Network Connections. Word connecting to port 80
Strange DNS Queries
9. Possible behaviors and evidences
iexplore.exe || chrome.exe || Firefox.exe || outlook.exe calling powershell or wmi
Word.exe || Excel.exe|| ppt.exe|| calling powershell or WMI or connecting on port 80
(word.exe||excel.exe||mshta.exe||rundll32.exe||java.exe)&&powershell.exe
Event ID 3221
(ExecutionPolicy||Bypass||DownloadFile||DownloadString||Webclient)&&powershell.ex
e
Event ID:3221
11. How to catch it using ET
Event ID 3221 – Monitor weird Parent – Child calls.
A new process has been created.
Process Name: powershell.exe
Image File Name: C:WindowsSystem32WindowsPowerShellv1.0powershell.exe
Account Name: Administrator
Account Domain: WIN-5UXXX235
New Process ID: 2808
Creator Process ID: 20700
Creator Process Name: EXCEL.EXE
Creator Image File Name: C:Program FilesMicrosoft OfficerootOffice16EXCEL.EXE
System Name: WIN-5UJ2KEEAF5A
File Version: 6.3.9600.17396
File Description: Windows PowerShell
Product Name: Microsoft® Windows® Operating System
Product Version: 6.3.9600.17396
Process Command Line: Powershell -File "E:Pathclear_sec_log.ps1"
File Size: 478720(Bytes)
Last Modified Time: 2014-10-29T02:16:41Z
Signed: No
Signer: N/A
Signed On: N/A
Counter Signed: No
Counter Signer: N/A
Counter Signed On: N/A
Session ID: 3
UserSid: S-1-5-21-3561416639-4205259430-1550782985-500
Token Elevation Type: TokenElevationTypeDefault(1)
LogonId: 0xa01a59
Token Integrity Level: High
Hash (MD5): c031e215b8b08c752bf362f6d4c5d3ad
