Fileless Malware and Powershell Attacks

Fileless Malware and Powershell Attacks

Fileless Malware

Fileless malware has changed the game of cyber attacks for the worst. This type of malware does not require cybercriminals to installing malicious software in order to compromise the target. They are known for using legitimate programs such as Microsoft Powershell to execute attacks

They are a game-changer because the malware is undetectable since they have no signature for antimalware software to detect.

Powershell attacks

For this reason, Powershell attacks have become a prominent go-to technique for hackers because;

1. It is a built-in command-line tool
2. It can download and execute code from another system
3. It provides unprecedented access on Windows computers
4. It’s enabled on most computers, as system administrators use PowerShell to automate various tasks 
5. Its malicious use is often not stopped or detected by traditional endpoint defenses, as files and commands are not written to disk.Rapid7 Blog

Microsoft Powershell is an incredibly powerful scripting language that provides access to a machine’s inner core including unrestricted access to Windows application programming interfaces (API’s). It can be used by hackers to do anything from harvesting passwords to mining cryptocurrency.

It is also useful for data collection and analysis but is now being exploited by hackers to forego file systems and directly inject malicious code into memory. This capability fast tracks the process of obfuscation which is where the hackers create a source or machine code that is difficult for humans to understand. Hackers use tools such as Powersploit, Empire, Metasploit or Invoke-Mimikatz to execute Powershell attacks

How fileless malware attacks occur infographic by Emsisoft security blog

Mitigation methods to prevent Powershell attacks 

1. Having the script digitally signed

2. Implementing additional logging analysis tools provided by Microsoft that can offer more insight into Powershell activity going on in the environment.

3. Limit the types of commands that can be executed within Powershell sessions. This is known as Constrained Language Mode.

4. Upgrade to Powershell v.5 or higher versions. They have additional security features such as script logging, transcription and antimalware software known as Antimalware Scan Interface(AMSI) which allows sending specific data to AMSI functions to identify if its malicious or not. This means that all script code can be scanned prior to execution by PowerShell and other Windows scripting engines.