Fileless Attacks

New Reference

Summarized References

https://blog.minerva-labs.com/hs-fs/hubfs/4%20techniques_1042x1042.jpg?width=600&name=4%20techniques_1042x1042.jpg

Malicious Documents

Malicious Scripts

  • Targeting powershell.exe, cscript.exe, cmd.exe and mshta.exe
  • Windows Subsystem for Linux introduce more script support
  • Prevent Powershell detection: https://blog.minerva-labs.com/confronting-snake-oil-sales-tactics-in-endpoint-security
    • If the attacker places a malicious script under the path %USERPROFILE%\profile.ps1 and start PowerShell ISE, the script will be executed without powershell.exe being involved
    • Bypass execution policy: HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell - And set the registry value ExecutionPolicy to Unrestricted.
    • Invoke-NoShell
      • 12 different evasive document permutations
    • Invoke-Obfuscation
    • Invoke-DOSfuscation

Living off the Land

Malicious Code in Memory