The document discusses fileless attacks, which are cyber threats that do not rely on malicious executable files being written to disk and are more prevalent than traditional ransomware attacks. It explores how these attacks are conducted, including techniques like spear phishing and the use of legitimate applications for lateral movement, and emphasizes the inadequacy of traditional antivirus solutions against such methods. Key takeaways highlight the need for enhanced defenses beyond conventional malware detection to effectively mitigate breaches.

1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHO NEEDS MALWARE?
UNDERSTANDING FILELESS ATTACKS AND HOW TO STOP THEM

2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 What are fileless attacks
2 How does a fileless attack work
3 Real world examples
4 Why traditional approaches don’t work
5 The CrowdStrike approach

3. POOL QUESTION
HOW WOULD YOU RATE YOUR
KNOWLEDGE OF FILELESS ATTACKS 1 TO 5
(1 = NONE. 5 = EXPERT)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

5. WHAT IS A FILELESS ATTACK
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
An attack that does not require a malicious executable file
to be written to disk

7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE REALITY OF FILELESS ATTACKS
Fileless techniques are not
new
More prevalent than
Ransomware 24% vs. 21%
78% of organizations are
concerned about fileless
attacks
Only 51% of breaches include
malware - Source Verizon BDR
2017
Not all attacks are 100%
fileless
80% of attacks use some
fileless techniques - Source
CrowdStrike Incident Response

8. FILELESS ATTACK TECHNIQUES
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

9. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILELESS
TECHINQUES
FILELESS INTRUSION TECHNIQUES OBSERVED BY
THE FALCON PLATFORM
§ Spear phishing for credentials
§ Lateral movement using ‘living off the
land’ tools (WMI, Unix commands,
Powershell)
§ Registry persistence
§ Webshells

10. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1. Attacker identifies
organization with vulnerable
web application
2. Remote attacker uses SQL
injection or other
vulnerability to drop payload
3. Vulnerable
webserver is
compromised
and becomes
backdoor
WEBSHELL ATTACKS

11. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILELESS
TECHINQUES
FILELESS INTRUSION TECHNIQUES OBSERVED BY
THE FALCON PLATFORM
§ Spear phishing for credentials
§ Lateral movement using ‘living off the
land’ tools (WMI, Unix commands,
Powershell)
§ Registry persistence
§ Webshells
§ Powershell-based credential dumpers

12. G O A L
T O O L S
T E C H N I Q U E
HOW A FILELESS ATTACK TAKES PLACE
I N I T I A L
C O M P R O M I S E
1
Remote access to a
system using a
web browser. Can
be web scripting
language
E.g. China Chopper
GAIN
ACCESS
WebShell
C O M M A N D
A N D C O N T R O L
2
Run system
commands to
find out where we
are
RECON
Sysinfo,
Whoami
P R I V I L E G E
E S C A L AT I O N
3
Run a PowerShell
script such as
Mimikatz to
dump credentials
DUMP
CREDENTIALS
PowerShell
P E R S I S T E N C E
4
Modifies Registry
to create a
backdoor
E.g. On screen
keyboard or
sticky keys
MAINTAIN
PERSISTENCE
Registry
E X F I LT R AT I O N
5
Uses system tools
to gather data and
China Chopper
Webshell to
exfiltrate data
EXFILTRATE
DATA
VSSAdmin,
Copy, NET use,
Webshell

13. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
REAL WORLD
EXAMPLES
§ Fileless Malwre: Kovter
§ Fileless Attack: Nation State

14. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KOVTER
§ Click-fraud
§ Fileless after initial infection
§ Hides encrypted malicious modules in the registry
§ Hides other malicious modules in PowerShell scripts
§ Uses shortcut file (.lnk) to download PowerShell scripts. The
script launches PowerShell to start a shellcode

15. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NATION STATE
ATTACK
§ Weaponization: Spoofed website
§ Delivery: Spear phishing
§ PowerShell modules connect to a
remote server
§ Install/run MimiKatz
§ Lateral movement through stolen
credentials

16. MOVING LATERALLY WITHOUT MALWARE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Attacker sets the
bait with a fake
website
Extract
credentials
from initial
victim
Move laterally
to other hosts

17. HOW TO PROTECT AGAINST FILELESS
ATTACKS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

18. HOW WOULD YOU RATE YOUR CURRENT
LEVEL OF PROTECTION AGAINST FILELESS
ATTACKS (1 = POOR – 5 = EXCELLENT)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

20. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EDUCATE
83%Rate traditional AV based signature
efficacy good or excellent

21. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHY TRADITIONAL APPROACHES DON’T
WORK
No file to analyze No artifacts left behind Blind if prevention fails
Uses legitimate applications No file to detonate Hands on keyboard

22. PROTECTS AGAINST ALL
TYPES OF ATTACKS
Protect against Known/
Unknown Malware/Malware Free
Protect Against
Zero-Day Attacks
Endpoint Detection and Response
Managed Threat Hunting
BENEFITS
FALCON ENDPOINT PROTECTION
Machine
Learning
IOA
Behavioral
Blocking
Block
Known Bad
Exploit
Mitigation
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

23. PROCESS INJECTS A
THREAD INTO
SYSTEM PROCESS
INJECTED THREAD
READS CREDENTIALS FROM
THE SYSTEM PROCESS
MEMORY
DUMPED CREDENTIALS
ARE USED TO LOGIN INTO
EXCHANGE SERVER
MAILBOXES ARE
EXPORTED OUT OF
EXCHANGE
INDICATORS OF ATTACK
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PROCESS CONDUCTS
RECONNAISSANCE
PROCESS ELEVATES
PRIVILEGES
WEB SERVER
EXECUTES A
PROCESS

24. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KEY TAKEAWAYS
THE THREAT IS REAL TRADITIONAL AV IS NOT
ENOUGH CURRENT DEFENSES
DO NOT WORK
NEED TO THINK BEYOND
MALWARE AND FOCUS ON
STOPPING THE BREACH

25. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?
Please submit all questions in the Q&A chat
right below the presentation slides
Contact Us
Additional Information
Join Weekly Demos
crowdstrike.com/productdemos
Featured Asset:
How Adversaries Use Fileless Attacks To
Evade Your Security
Link in Resource List
Website: crowdstrike.com
Email: info@crowdstrike.com
Number: 1.888.512.8902 (US)