Targeted and non-targeted cyberattacks use different operating methods to achieve their ends. Among these operating modes we find attacks without files. These can have several names:
The approach is simple, instead of building, downloading and executing malware on the victim machine, the attacker uses programs installed by default on the system. Among these programs we can mention, Powershell, WMI and PSexec. On the Windows system, there are more than 100 pre-installed tools that can be used by attackers in a fileless approach.
More than 70% of the attacks analyzed in the last two years use the “Fileless” approach. The best known attack that used this approach was NotPetya in 2017, the attacker used the Psexec and WMI tools in order to spread over the network.
Using the “Fileless” approach allows attackers (in the early stages of the attack) to understand the environment in which they find themselves and to explore the network.
The classical functioning of an antivirus consists in analyzing the software and comparing it to a database of signatures created beforehand and progressively by the analysts. Indeed, when running new software, the antivirus creates a sign and compares it to its knowledge base in order to know if the software in question is malevolent or not.
This operation is completely obsolete for the identification of the latest typologies of attacks and the Fileless attacks and one example among others.
Since the concept of this attack is to divert the use of legitimate tools used by administrators and that no binary has downloaded the antivirus does not find anything to analyze and allows the execution of the attack.
Nucleon Smart Endpoint was designed with a defense in depth philosophy. Indeed, the “Hardening” brick embedded on Nucleon Smart Endpoint allows to specify rules of access to the administration tools only to the legitimate processes and to the population in the company which can make use of it within the framework of its trade.
The example of the hardening rules above relate to Powershell, a tool used by administrators in their daily activities but also very popular with attackers. These rules prohibit Powershell from being executed by unauthorized processes or accessing the internet in order to avoid data exfiltration.
Written by: Sébastien Guisnet