How Fileless malware challenges classic security solutions

First published on CloudBlogs on Jun 07, 2017
This post is authored by Itai Grady, Security Researcher, Advanced Threat Analytics R&D. A bank in Poland previously discovered unknown malware running on several of its computers, exposing a wave of attacks that affected organizations from at least 31 countries. What’s unique about this attack, is the usage of a piece of sophisticated malicious software, that managed to reside purely in the memory of a compromised machine, without leaving a trace on the machine’s file system. Fileless malware allows attackers to evade detection from most end-point security solutions which are based on static files analysis (Anti-Viruses). Fileless malware is not a new phenomenon. Throughout the past few years, an evolution of Fileless malware has been observed. Initially, malware developers were focused on disguising the malware’s network operation, be it communication with their command and control servers or data exfiltration. This was accomplished by mimicking the traffic of different Messengers applications and HTTP header spoofing to evade network security solutions (firewalls/IDS).

Lateral movement as non-malware

The latest advancement in Fileless malware shows the developers focus shifted from disguising the network operations to avoiding detection during the execution of lateral movement inside the victim’s infrastructure. In-order to avoid detection, the malware that was used during the above-mentioned attack used standard Windows tools to complicate the detection. Usage of such tools in malware is also known as Non-Malware attacks. Some of the tools that the new malware used were:
  • SC.exe - A tool for remote management and creation of services.
  • netsh.exe - for network tunneling and other network configuration manipulations.
  • Powershell - used for running complex commands and the use of standard APIs for collecting information on the victim’s network and remote code executions (such as WMI).
These latest developments in Fileless malware indicates that attackers are extending the malware’s capabilities to avoid detection during the lateral movement stage (spreading across the victim’s network).

Behavioral analytics and Fileless malware

Since most security solutions are based on detecting signatures and known malicious behaviors on the operating system, malware that adopts the above techniques are very hard to identify. A new type of security solution could address these challenges – a solution which relies on analyzing the behavior of the users and computers in the environment. Behavioral analytics systems are designed to tackle various, and previously unknown, advanced attacks. The systems monitor and learn the behavior of entities in the organization (users, computers or services) and sends out alerts when it detects abnormal behavior that might point to malicious intent. UEBA systems have the potential to detect Fileless malware in different stages of an advanced attack.


For Fileless malware to spread, some critical information of the victim’s network needs to be collected. The malware needs information on its location in the network, the users’ roles, permissions, existing sessions, machines, their privileged groups, etc. This data is used to discover valuable machines and accounts in the network, and map different routes to them. There are many techniques an attacker can use to perform reconnaissance. Some of the more interesting methods are the usage of standard queries to Active Directory and machines in the network (i.e. DNS queries, SAMR protocol, SMB session enumeration etc.), so that if the organization has a UEBA security system that monitors such requests, and identifies abnormal ones, the malware and attack campaign can be detected prior to the infection of other machines in the organization.

Lateral Movement

When there is a new target for the malware, and a route to it, the malware starts to move laterally inside the network. Moving laterally might be done using various techniques, most of which have legitimate purposes, and therefore might not be detected by endpoint security solutions. Behavioral analytics solutions can recognize an anomaly in the behavior of the compromised user (or computer) such as accessing an abnormal resource, logging on to a new computer, working from an unusual location, working during unusual hours, etc. Security systems that monitor the network traffic might also be able to detect common attack techniques for lateral movement, such as Pass-The-Hash , Over-pass-the-hash and Pass-The-Ticket .

What’s next?

Fileless malware will only become smarter and more common. Regular signature-based techniques and tools will have a harder time to discover this complex, stealth-oriented type of malware. More and more attacks will leave little to no tracks in the file system and in the network, and will force organizations to start detecting attacks based on their user and entity behavior. Advanced Threat Analytics is an on-premises product and part of the Enterprise Mobility + Security Suite or Enterprise CAL Suite. Start a trial or deploy it now by downloading a 90-day evaluation version . Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site !