perm_phone_msgUNDER ATTACK? Incident response LINE +33 1 73 07 18 41

Living Off the Land or Filleless Attacks

Cyber security + Ransomware Sébastien Guisnet today27/03/2020 596 1 5

Background
share close

What are Living off the land or Filleless attacks and why is it a real Cybersecurity issue?


The different appellations 

Targeted and non-targeted cyberattacks use different operating methods to achieve their ends. Among these operating modes we find attacks without files. These can have several names:

  • fileless attacks
  • zero-footprint attacks
  • non-malware attacks
  • Living Off the Land

How it works

The approach is simple, instead of building, downloading and executing malware on the victim machine, the attacker uses programs installed by default on the system. Among these programs we can mention, Powershell, WMI and PSexec.  On the Windows system, there are more than 100 pre-installed tools that can be used by attackers in a fileless approach.

More than 70% of the attacks analyzed in the last two years use the “Fileless” approach. The best known attack that used this approach was NotPetya in 2017, the attacker used the Psexec and WMI tools in order to spread over the network.


NotPetya attack execution

Why do hackers use this technique? 

Using the “Fileless” approach allows attackers (in the early stages of the attack) to understand the environment in which they find themselves and to explore the network.

Why do anti viruses fail to detect this type of attack?

The classical functioning of an antivirus consists in analyzing the software and comparing it to a database of signatures created beforehand and progressively by the analysts. Indeed, when running new software, the antivirus creates a sign and compares it to its knowledge base in order to know if the software in question is malevolent or not.

This operation is completely obsolete for the identification of the latest typologies of attacks and the Fileless attacks and one example among others.

Since the concept of this attack is to divert the use of legitimate tools used by administrators and that no binary has downloaded the antivirus does not find anything to analyze and allows the execution of the attack.

How does Nucleon Smart Endpoint block fileless attacks?

Nucleon Smart Endpoint was designed with a defense in depth philosophy. Indeed, the “Hardening” brick embedded on Nucleon Smart Endpoint allows to specify rules of access to the administration tools only to the legitimate processes and to the population in the company which can make use of it within the framework of its trade.


Zero Trust Security policies Nucleon smart Endpoint

The example of the hardening rules above relate to Powershell, a tool used by administrators in their daily activities but also very popular with attackers. These rules prohibit Powershell from being executed by unauthorized processes or accessing the internet in order to avoid data exfiltration.

Written by: Sébastien Guisnet

Rate it

Previous post


Gain ground on cybercriminals


Start Free Trial Now

Background