File-Less Attacks Designed to Bypass Endpoint Protection

September 26, 2019 | Tristan Lawson, Senior Solutions Architect

There is a convergence of technology from Next Generation Anti-Virus (NGAV), application whitelisting, and endpoint detection and response (EDR) companies. These technologies overlap in offering prevention and protection capabilities.  The goal of each of these technologies and the combination of them is to stop modern day attacks.  Modern day attacks are more often file-less, not file-based with a goal to get foreign code to execute in memory.  Protecting the memory from foreign code in a file-less attack is the focus of this article.

What is a file-less attack?

File-less attacks utilize a gambit of methods designed to allow attackers to compromise systems even when there is a protection solution present on the system such as NGAV or application whitelisting. File-less attacks primarily do not write executable files to disk and often times write no files to disk at all, so they are more difficult to stop than file-based attacks. The primary objective is to not compile the malicious code but instead find clever ways to inject it straight into memory to be executed.

There are four known ways for file-less attacks to be launched on a system to result in code execution in memory. All these methods can be adapted to bypass NGAV solutions, EDR’s and modern application whitelisting.  Read on to learn more.

Four Types of File-less attacks

Malicious Scripts are one type of file-less attacks and are consistent with the objective to avoid compiling malicious code into traditional executables. Malware authors rely on malicious scripts during many different types of attacks that are file-less. Beyond the known scripts supported natively by documents, the malicious scripts that can run directly on Microsoft Windows provide attackers with many advantages. Scripts such as PowerShell scripts allow an attacker to interact with the OS with few restrictions especially since script interpreters native to windows such as PowerShell are often times automatically whitelisted by Endpoint Protection solutions. Scripts allow an attacker to spread out the logic of the malicious activity across many stages making it more difficult for behavior analysis engines and AI to detect. Scripts also offer the ability to be obfuscated to further evade antimalware solutions. Combining all of these abilities ultimately makes detection and prevention of malicious scripts difficult for NGAV, EDR and application whitelisting.

Malicious Documents is the second type of file-less attack and often act as containers for other malicious files or malicious scripts already described.  Malicious documents can be used to target vulnerabilities during the opening of the application to gain control of the execution flow in memory.  A common way malicious documents are used is to run malicious scripts to launch and insert code directly into memory through the opening of the malicious document.  In this case an attacker may not need to take additional steps beyond getting that malicious document onto the target system.

The third file-less attack technique is to insert malicious code directly into memory. This file-less attack method is achieved through the technique of process injection, executable wrapping or process imitation. The process injection technique is a very popular way to bypass NGAV, application whitelisting and EDR. Process injections take advantage of features within Microsoft Windows to do unorthodox memory manipulations which are allowed within Windows but are being used in ways the designers of Windows never intended. Examples of features include API calls to WriteProcessMemory and VirtualAllocEx which allow a process to write into another process’s memory. There are numerous other ways to conduct a process injection attack that injects malicious code directly into a running process to execute without triggering the resident endpoint protection solution.

The fourth type of file-less attack is called living off the land and is the misuse of several built in Microsoft Windows utilities. It is called living off the land because the land or the Windows environment on the target system contains the utilities required for the attacker to deliver their outcome or to “live”.  These utilities generally allow attackers to move from one stage of their attack to the next without relying on any compiled malicious executables.

The Problem

There is a common theme to these modern file-less attacks; the objective is to run foreign code in memory without compilation of the code to bypass EDR, application whitelisting and NGAV protections. This theme highlights the weakness of the tools which these technologies use to attempt to identify and stop malicious code from running into memory.

Endpoint protection solutions utilize a common suite of tools in their effort to stop attacks from occurring such as signatures, application hashes/headers, machine learning, AI and sandboxing. These tools fall prey to biases because all these tools rely on the historical known bad to predict future bad behaviors and attacks.  This bias can be abused and short circuited by starting with a living off the land technique utilizing a known whitelisted application as a launching pad for malicious code into memory.  Additionally, attackers are modifying the malicious attacks and malicious files they produce to look like normal good files through simple file changes such as appending strings from known good files.

Having confidence that protection in the file system and the application space can stop malicious code from executing in memory is a fallacy.  The approach of looking for bad or predicting what is bad has limitations.   A new and different approach is required.

The Solution

To combat modern cyber warfare and protect against file-less attacks, you must verify the integrity of executing code in memory at runtime.  There are many ways that executing code is inserted into memory but in the end the code executes in memory in the same way, no matter how it got there.

Constant verification of all executable code must be performed not just when that executable code is inserted into memory for the first time.  That’s just one step, but as we’ve described, there are injection techniques that insert new malicious code into already executing processes and code in memory.  If you are only looking at code as it is inserted as a new process executing in memory, you would miss the modification of code that can happen after a process is loaded into memory.  It therefore becomes necessary to verify the integrity of code not only upon insertion but also as it executes.

This is exactly what Digital Immunity does: constant protection in memory at run-time.   DI PROTECT is based on a zero-trust model.  Through a reference platform that creates DNA maps of the good, approved or validated executable code, a surgical sensor is loaded to the endpoint.   In real-time at almost no load or latency to the system, the code that is executing in memory is compared against the DNA maps.  The DNA of the executing code either matches a DNA map, or it doesn’t.  If the DNA of the code that is loaded or is executing doesn’t match, the bad code is stopped while all good code continues to execute.  In this way, Digital Immunity stops the different file-less attacks that bypass NGAV, application whitelisting, and the EDR solutions.

If you wish to harden your Windows operating systems, associated applications and ultimately make it so attackers are unable to bypass your endpoint protection with file-less attacks, talk to us.  Learn how Digital Immunity is designed to provide in-memory run time protection, keep your good processes running and stop file-less attacks.

Want to give Digital Immunity a try?
Click here for more information and to request a software demo.