Detecting and Mitigating Multi-faceted Fileless Attacks

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Security experts estimate that around 35% of all attacks are now fileless. Our experience at the BlueVoyant SOC validates this. Fileless attacks present a unique challenge to a SOC because they avoid detection from antivirus. They don’t install malware to infect endpoints. They exist in memory. And they use common system tools and approved applications to carry out an attack. As a result, the SOC must rely on behavioral detection tools which require interpretation by skilled security analysts to detect, respond and mitigate.

The BlueVoyant SOC recently defended against a sophisticated and multi-faceted fileless attack. The ultimate goal was installing a coinminer, but with a lot more malicious activity occurring. The attack utilized living-off-the-land techniques using native Windows tools to avoid detection. It initiated with PowerShell scripts and Netsh opening ports on our client’s firewall. It then utilized four different WMI mechanisms resulting in an advanced form of persistence on three hosts. The attack used Squiblydoo to download eight pieces of malware.

The most dangerous threat was a PowerShell variant of Mimikatz used to scrape credentials and potentially provide free reign across all devices on the network. Mimikatz was loaded directly into memory, bypassing Windows security. It then dropped Mirai and XMRRIG coinminer. Interestingly, the attack looked for and remediated other malware on the device so that it was the only coinminer.

The BlueVoyant Threat Fusion Cell team continuously investigates the threat landscape to identify unknown and emerging threats. They provided our SOC with a list of indicators and a detailed write-up on this new fileless attack. When our client was hit by this attack, we were ready. Our SOC analysts immediately removed the artifacts used to create persistence in the infected devices.

They updated a specific NextGen AV policy to block Squiblydoo. Our SOC analysts detected and blacklisted the eight pieces of malware. They used EDR (Endpoint Detection and Response) to analyze behaviors, confirm the legitimacy of any PowerShell executions, and investigate process ancestry. This was a very advanced attack with many moving parts, requiring multiple security tools, threat intelligence and an expert SOC analyst team to detect, respond and mitigate.