Fileless Attacks White Paper

entries in the Windows registry to guarantee persistence after a reboot and to assist with the next stage of infection. Then, the malware uses PowerShell to launch and infect a regsvr32. exe process. Lastly, Kovter deletes its executable file from the %TEMP% directory leaving nothing behind for signature-based detection. User unzips a compressed file, triggering obfuscated Jscript/Javascript code Kovter downloads the payload and writes persistence into the registry Kovter removes the executable payload from the local system, and then operates in memory Kovter uses PowerShell to launch and infect the regsvr32.exe process The new Kovter resides within a recognized system process operating in memory. Traditional AV detection methods are largely circumvented because there is no file to convict, and there are no rogue processes to detect. The Cylance Approach Cylance stops fileless malware by using a combination of tools found in CylancePROTECT® and CylanceOPTICS™. The key to defeating fileless malware is to deny it system resources. While detecting the presence of fileless malware can prove difficult, depriving it of tools is not. Cylance uses script control, memory protection, and the Context Analysis Engine (CAE) to stop fileless attacks before they cause damage. Script Management CylancePROTECT Script Control gives system administrators the power to decide when, where, and how scripts are used in their environment. By injecting itself into the script interpreter, CylancePROTECT Script Control gains insight into both script activity and the script path before execution. Questionable script activity is either blocked or sends an alert to the system administrator. Cylance offers script control and detection for PowerShell, Active Scripts (Jscript and VBScript), and Microsoft Office macros. Blocking PowerShell also prevents its console from launching. This protects a system from executing PowerShell one-liners. Explicitly approved scripts can still be run, even when PowerShell is blocked. Memory Exploitation Detection and Prevention CylancePROTECT Memory Protection denies fileless attacks a space in which to operate. The memory defense agent consists of a DLL that is loaded into each protected process and a service component that provides management capabilities. The agent hooks into user-mode API functions and monitors them for signs of compromise. When a detection occurs within an API, the suspected function is suspended and the agent offers a choice of proceeding via the following actions: • Ignore the violation and let the process execute • Alert on the violation, but let the process execute • Block the violation and send an alert • Terminate the process completely Combating the Scourge of Fileless Attacks 3 CylancePROTECT Memory Protection operates on both 32and 64-bit processes without heavily impacting system performance. CylancePROTECT administrators can easily configure memory policies to offer the same protections as modern complex host intrusion prevention systems. Javascript, and browser-specific actions that fileless attacks rely on to operate. Admins can also author custom rules to govern specific concerns in their environment. Denying fileless malware the resources it needs is a highly effective way to combat fileless attacks. Context Analysis Engine (CAE) The CylanceOPTICS Context Analysis Engine empowers each endpoint with threat detection and response capabilities. This approach allows each endpoint to act as a virtual SOC, responding to threats with predetermined processes. In other words, it provides automated endpoint protection that functions 24x7 without placing demands on human operators. Time is saved in the form of reduced latency by the CAE conducting threat analysis on the endpoint instead of contacting the cloud. Conclusion The CAE provides a way to impose rules on a catalog of system behaviors. These behaviors include PowerShell, Fileless malware poses a serious threat to traditional AV solutions by using discrete methods often invisible to standard threat detection. By hijacking legitimate resources to attack a host system, fileless malware can camouflage its presence and operate unnoticed. Cylance provides advanced tools that deprive fileless threats of the resources they need for survival. By controlling the execution of scripts, the memory space, and the manipulation of endpoints, Cylance products keep infrastructure safe from fileless attacks. +1-844-CYLANCE [email protected] www.cylance.com 18201 Von Karman Avenue, Suite 700, Irvine, CA 92612 ©2018 Cylance Inc. Cylance® and CylancePROTECT® and all associated logos and designs are trademarks or registered trademarks of Cylance Inc. All other registered trademarks or trademarks are property of their respective owners. 20180316-0286
Please complete the form to gain access to this content