This blog post was co-authored by:
Aditya Joshi, Senior Software Engineer, Microsoft Defender for Endpoint
Tino Morenz, Senior Software Engineer, Enterprise Data Protection
The Azure Defender team is excited to share that the Fileless Attack Detection for Linux Preview, which we announced earlier this year, is now generally available for all Azure VMs and non-Azure machines enrolled in Azure Defender.
Fileless Attack Detection for Linux periodically scans your machine and extracts insights directly from the memory of processes. Automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. This detection capability identifies attacker payloads that persist within the memory of compromised processes and perform malicious activities.
See below for an example fileless attack from our preview program, a description of detection capabilities, and an overview of the onboarding process.
Real-world attack pattern from our preview program
In our continuous monitoring of fileless attacks we often encounter malware components, exhibiting in-memory ELF and shellcode payloads that are in the initial stages of being weaponized by attackers.
In this example, a customer’s VM is infected with malware that is attempting to blend in as standard system security components.
Detecting the attack
Fileless attack detection capabilities
Fileless Attack Detection for Linux scans the memory of all processes for shellcode, malicious injected ELF executables, and well-known toolkits. Toolkits include crypto mining software.
Here is an example alert:
The alerts contain information to assist with triaging and correlation activities, which include process metadata:
We plan to add and refine alert capabilities over time. Additional alert types will be documented here.
Process memory scanning is non-invasive and does not affect the other processes on the system. Most scans run in less than five seconds. The privacy of your data is protected throughout this procedure as all memory analysis is performed on the host itself. Scan results contain only security-relevant metadata and details of suspicious payloads.
This capability is automatically deployed to your Linux machines as an extension to the Log Analytics Agent for Linux, which is also known as the OMS Agent. This agent supports the Linux OS distributions described in this document. Azure VMs and non-Azure machines must be enrolled in Azure Defender to benefit from this detection capability.
To learn more about Azure Defender, visit the Azure Defender Page.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.