Fileless malware is an insidious threat that leverages legitimate system tools and resides in memory, making it challenging to detect and mitigate. As a SOC analyst or DFIR practitioner, understanding how to identify and respond to such threats is crucial for maintaining a robust security posture. This guide provides detailed insights into detecting fileless malware using various tools and techniques.
Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, fileless malware does not require an attacker to install any code on a target’s system, making it hard to detect. This technique of using native tools to conduct a malicious attack is sometimes referred to as living off the land or LOLbins.
While attackers don’t have to install code to launch a fileless malware attack, they still need to get access to the environment so they can modify its native tools to serve their purposes. Access and attacks can be accomplished in several ways, such as through the use of:
Exploits are pieces of code, sequences of commands, or collections of data, and exploit kits are collections of exploits. Adversaries use these tools to take advantage of vulnerabilities in an operating system or an installed application. Exploits are efficient for launching fileless malware attacks because they can be injected directly into memory without writing to disk.
Registry resident malware installs itself in the Windows registry to remain persistent while evading detection. This type of malware uses a dropper program that writes malicious code straight into the Windows registry, launching every time the OS starts.
Memory-only malware resides only in memory. An example is the Duqu worm, which remains undetected because it resides exclusively in memory. Duqu 2.0, a more advanced version, offers additional features such as reconnaissance, lateral movement, and data exfiltration.
Fileless ransomware embeds malicious code in documents using native scripting languages like macros or writes the code directly into memory via an exploit. The ransomware then hijacks native tools like PowerShell to encrypt files without writing a single line to disk.
Attackers may use stolen credentials to access their target under the guise of a legitimate user. Once inside, they can use native tools such as WMI or PowerShell to conduct their attack and establish persistence by hiding code in the registry or the kernel.
Memory forensics is crucial for detecting fileless malware. Tools like Volatility and Rekall can analyze RAM dumps to identify malicious processes and code injections.
Volatility Example:
Use the windows.pslist command to identify active processes and dlllist to check for injected DLLs.
You can learn more about memory analysis with this Memory Forensics course:
Behavioral analysis involves monitoring system and network behaviors for anomalies. SIEM systems like Splunk and the ELK Stack, along with EDR solutions like CrowdStrike and Microsoft Defender ATP, are vital in identifying suspicious activities.
Splunk Example Query:
index=main source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 ScriptBlockText="*Invoke-Expression*"
ELK Stack Query:
GET /logstash-*/_search
{
"query": {
"match": {
"message": "Invoke-Mimikatz"
}
}
}
Enabling detailed PowerShell logging can capture malicious script execution details. Application whitelisting and strict execution policies also help in mitigating script-based attacks.
PowerShell Logging Configuration:
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1
Additionally, enabling Module Logging and Script Block Logging provides insights into the execution of malicious scripts.
Analyzing network traffic helps in detecting unusual outbound connections indicative of C2 communications. Tools like Wireshark, Zeek, and Suricata are effective for this purpose.
Wireshark Filter Example:
dns.qry.name contains "example.com"
Zeek Script Example:
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
if ( original_URI contains "suspicious_path" )
print fmt("Suspicious HTTP request detected: %s", original_URI);
}
Suricata can be configured to alert on specific network behaviors that are indicative of fileless malware activities.
Monitoring registry changes and process activities can reveal persistence mechanisms and malicious behaviors. Sysinternals tools like Autoruns and Process Monitor are useful for this purpose.
Sysmon Configuration:
Using Sysmon, you can create detailed logs of process creations, network connections, and registry changes, helping identify fileless malware activities.
Integrating threat intelligence feeds helps in updating detection mechanisms with the latest IoCs. Services like AlienVault OTX and VirusTotal provide valuable threat data.
Example Integration with Splunk:
| tstats `summariesonly` count from datamodel=Endpoint.Processes
where nodename=Processes.process
| `drop_dm_object_name(Processes.process)`
| lookup threatintel_by_hash hash as process_hash OUTPUTNEW description
Using threat intelligence, you can correlate observed behaviors with known IoCs to quickly identify and respond to fileless malware.
Combining memory analysis, behavioral analysis, script blocking, network traffic monitoring, and threat intelligence integration provides a comprehensive approach to detecting fileless malware. Here are practical steps you can follow:
Prevention is as important as detection when dealing with fileless malware. Here are some strategies to minimize the risk of fileless malware infections:
Continuous monitoring is essential for early detection and response to fileless malware activities. Here are some effective monitoring techniques:
Detecting and preventing fileless malware requires a multi-faceted approach involving advanced tools and techniques. By leveraging memory forensics, behavioral analysis, script monitoring, network traffic analysis, and threat intelligence, SOC analysts and DFIR practitioners can effectively identify and mitigate fileless threats. Implementing robust prevention strategies and continuous monitoring is essential to stay ahead of these sophisticated attacks. Continuous learning and adaptation are key to maintaining a secure environment against evolving threats.