How can we turn discussions about the vague notion of fileless attacks into constructive, specific conversations?

The existence of the phrase fileless attacks in security discourse signals the importance of these types of threats. The term emerged from the need to discuss tactics that evade detection by avoiding placing malicious files on disk. However, to meet the challenge of fileless attacks, we need to disambiguate this term to understand the variety of techniques it covers, so we can recognize how it affects specific environments and defenses.

Fileless attacks incorporate a variety of tactics that allow adversaries to compromise endpoints despite the presence of anti-malware controls such as antivirus and application whitelisting. Below is an overview of the methods involved in such attacks, presented to bring clarity and specificity to discussions of fileless threats. Let’s examine the specific techniques that comprise fileless attacks and why they often go undetected by existing defenses.

Technique #1: Malicious Documents

Attacks that many professionals classify as fileless often involve document files. In such scenarios, the adversary supplies the malicious document—typically as an email attachment—for one of the following purposes:

  • Documents can act as flexible containers for other files. The attacker can embed a JavaScript file in a Microsoft Office document, for instance, and social-engineer the recipient to double-click the embedded file to execute the script. Other document types that can carry files include PDF and RTF. Since this capability is a feature of the respective applications, anti-malware technologies generally don’t interfere with its use.
  • Documents can carry exploits that execute malicious code. The complexity of today’s document features offers a generous attack surface for exploiting vulnerabilities such as parsing bugs. In such scenarios, the exploit can trigger the execution of the bundled shellcode in memory of the compromised application, giving the attacker a foothold on the endpoint even without saving the code to the file system.
  • Documents can execute malicious logic that begins the infection. Modern documents support powerful scripting capabilities, such as Microsoft Office’s ability to execute VBA macros. Such features allow the attacker to implement malicious logic without a compiled executable, taking advantage of the weakness of many anti-malware tools at distinguishing between nefarious and benign scripts. Document script abilities include launching programs and downloading malicious code.

Though documents reside on the endpoint’s file system, they offer adversaries an opportunity to avoid placing traditional malicious executables on disk. In many cases, the document leads to the execution of malicious code directly in memory of the endpoint as part of the fileless infection. For an example of how attackers use documents to initiate an attack, see Omri Moyal’s write-up about the misuse of Microsoft Office support for DDE. For another scenario, take a look at the post about attackers inserting themselves into the conversation to spread malware.

Technique #2: Malicious Scripts

Consistent with the objective to avoid compiling malicious code into traditional executables, malware authors rely on scripts during attacks that have fileless attributes. Beyond the scripts supported natively by documents, as mentioned above, the scripts that run directly on Microsoft Windows provide adversaries with the following advantages:

  • They can interact with the OS without restrictions that some applications, such as web browsers, might impose on the script.
  • They are harder for anti-malware vendors to detect and control than compiled malicious executables.
  • They offer a flexible opportunity to split malicious logic across several processes to evade behavioral detection.
  • They can be obfuscated to slow down analysts and further evade detection by anti-malware technologies.

Microsoft Windows includes script interpreters for PowerShell, VBScript, batch files and JavaScript. The tools that attackers invoke to run these scripts include powershell.exe, cscript.exe, cmd.exe and mshta.exe. With the addition of the Windows Subsystem for Linux, Microsoft offers even more scripting technologies on the endpoint. For an example of the challenges that enterprises face to restrict the misuse of these tools, see Gal Bitensky’s post that discusses the Invoke-NoShell utility.

Attackers can use frameworks that obfuscate scripts without having to implement such evasion tactics themselves. These measures include Daniel Bohannon’s Invoke-Obfuscation for PowerShell and Invoke-DOSfuscation frameworks. To see such tactics in actions, review Minerva’s analysis of Emotet’s script obfuscation.

Technique #3: Living off the Land

Discussions of fileless attacks often include the misuse of the numerous utilities built into Microsoft Windows. These tools allow adversaries to trampoline from one stage of the attack to another without relying on compiled malicious executables. This mode of operation is sometimes called “living off the land.”

Once the adversary’s malicious code can interact with local programs, possibly by starting the infection with a document, the attacker can misuse the utilities built into the OS to download additional malicious artifacts, launch programs and scripts, steal data, move laterally, maintain persistence, and more. The many tools that attackers invoke for these purposes include regsvr32.exe, rundll32.exe, certutil.exe and schtasks.exe. For a comprehensive listing and description of such built-in binaries, libraries and scripts that attackers misuse in this manner see Oddvar Moe’s LOLBAS project.

Windows Management Instrumentation (WMI), built into the OS, offers attackers additional opportunities to live off the land. WMI allows adversaries to interact with most aspects of the endpoint with the help of the wmic.exe executable (and some others) as well as by using scripts (e.g., PowerShell). Since these actions involve only trusted, built-in Windows capabilities, they are difficult for anti-malware technologies to detect and restrict. For a comprehensive explanation of how WMI can assist with fileless attacks, see Matt Graeber’s paper Abusing WMI to Build a Persistent, Asynchronous, and Fileless Backdoor.

Attackers dramatically increase their chances of evading anti-malware tools, including antivirus and application whitelisting measures, by relying on such benign and trusted utilities. For additional examples of such techniques, see Matthew Dunwoody’s overview of APT29’s use of WMI and PowerShell to plant fileless backdoors.

Technique #4: Malicious Code in Memory

While examining files on disk is the strength of many anti-malware products, they often struggle with malicious code that resides solely in memory. Memory is volatile and dynamic, giving malware the opportunity to change its shape or otherwise operate in the blind spot of antivirus and similar technologies.

Once the attacker starts executing malicious code on the endpoint, possibly using the methods outlined above, the adversary can unpack malware into memory without saving artifacts to the file system. This can involve extracting the code into the process’ own memory space. In other cases, malware injects the code into trusted and otherwise benign processes.

Examples of in-memory attack techniques include the following:

  • Memory injection utilizes features of Microsoft Windows to interact with the OS without exploiting vulnerabilities. For instance, API calls often abused by malware for injection include VirtualAllocEx and WriteProcessMemory, which allow one process to write code into another process. To see these techniques in action, read Gal Bitensky’s overview of the AZORult attack.
  • Attackers can wrap compiled executables into scripts that extract malicious payload into memory during runtime. One example of such toolkits is PowerSploit, which you can see in action by reading the GhostMiner analysis by Asaf Aprozper and Gal Bitensky. Chris Truncer’s Veil Framework is another example.
  • Process Doppelgänging is an example of an approach to avoiding the file system that doesn’t involve memory injection in a classic sense. Instead, the attacker misuses NTFS transaction capabilities built into Microsoft Windows to temporarily modify a trusted file in memory without committing changes to disk. SynAck malware used this evasion technique, as described by Anton Ivanov, Fedor Sinitsyn and Orkhan Mamedov.

In-memory techniques allow attackers to bypass many anti-malware controls, including application whitelisting. Though antivirus tools try to catch memory injection, adversaries’ consistent ability to infect endpoints highlights their limitations. Asaf Aprozper’s CoffeeShot tool demonstrates the brittle nature of such detection attempts by implementing an injection method in Java.

Nowadays, Fileless is the Norm

While some attacks and malware families are fileless in all aspects of their operation, most modern malware that evades detection nowadays includes at least some fileless capabilities. Rather than attempting to decide whether the threat is fileless in its entirety, it’s more fruitful to consider what tactics it employs to get past enterprise defenses. They will likely involve a combination of the techniques discussed above, including the use of malicious documents, scripts, living off the land and memory injection. Such fileless methods have become the new norm.

Attacks with fileless attributes benefit from features of applications and the OS, exploiting the difficulties that anti-malware tools experience when attempting to detect and prevent their misuse. This is why enterprises are increasingly looking at Minerva’s Anti-Evasion Platform, which is uniquely designed to interfere with fileless tactics, compensating for the weaknesses inherent to detection-based security approaches.