Home Blog Detecting and Mitigating Multi-faceted Fileless Attacks Detecting and Mitigating Multi-faceted Fileless Attacks BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Security experts estimate that around 35% of all attacks are now fileless. Our experience at the BlueVoyant SOC validates this. Fileless attacks present a unique challenge to a SOC because they avoid detection from antivirus. They don’t install malware to infect endpoints. They exist in memory. And they use common system tools and approved applications to carry out an attack. As a result, the SOC must rely on behavioral detection tools which require interpretation by skilled security analysts to detect, respond and mitigate. The BlueVoyant SOC recently defended against a sophisticated and multi-faceted fileless attack. The ultimate goal was installing a coinminer, but with a lot more malicious activity occurring. The attack utilized living-off-the-land techniques using native Windows tools to avoid detection. It initiated with PowerShell scripts and Netsh opening ports on our client’s firewall. It then utilized four different WMI mechanisms resulting in an advanced form of persistence on three hosts. The attack used Squiblydoo to download eight pieces of malware. The most dangerous threat was a PowerShell variant of Mimikatz used to scrape credentials and potentially provide free reign across all devices on the network. Mimikatz was loaded directly into memory, bypassing Windows security. It then dropped Mirai and XMRRIG coinminer. Interestingly, the attack looked for and remediated other malware on the device so that it was the only coinminer. The BlueVoyant Threat Fusion Cell team continuously investigates the threat landscape to identify unknown and emerging threats. They provided our SOC with a list of indicators and a detailed write-up on this new fileless attack. When our client was hit by this attack, we were ready. Our SOC analysts immediately removed the artifacts used to create persistence in the infected devices. They updated a specific NextGen AV policy to block Squiblydoo. Our SOC analysts detected and blacklisted the eight pieces of malware. They used EDR (Endpoint Detection and Response) to analyze behaviors, confirm the legitimacy of any PowerShell executions, and investigate process ancestry. This was a very advanced attack with many moving parts, requiring multiple security tools, threat intelligence and an expert SOC analyst team to detect, respond and mitigate. Share: Facebook Twitter LinkedIn Related reading Why Bluevoyant BlueVoyant – Microsoft Security Consulting Potential Career Paths November 29, 2021 BlueVoyant is always looking for people who are flexible, willing to tackle new technologies, explore, get their hands on the latest cybersecurity tools,… Read more Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Security experts estimate that around 35% of all attacks are now fileless. Our experience at the BlueVoyant SOC validates this. Fileless attacks present a unique challenge to a SOC because they avoid detection from antivirus. They don’t install malware to infect endpoints. They exist in memory. And they use common system tools and approved applications to carry out an attack. As a result, the SOC must rely on behavioral detection tools which require interpretation by skilled security analysts to detect, respond and mitigate. The BlueVoyant SOC recently defended against a sophisticated and multi-faceted fileless attack. The ultimate goal was installing a coinminer, but with a lot more malicious activity occurring. The attack utilized living-off-the-land techniques using native Windows tools to avoid detection. It initiated with PowerShell scripts and Netsh opening ports on our client’s firewall. It then utilized four different WMI mechanisms resulting in an advanced form of persistence on three hosts. The attack used Squiblydoo to download eight pieces of malware. The most dangerous threat was a PowerShell variant of Mimikatz used to scrape credentials and potentially provide free reign across all devices on the network. Mimikatz was loaded directly into memory, bypassing Windows security. It then dropped Mirai and XMRRIG coinminer. Interestingly, the attack looked for and remediated other malware on the device so that it was the only coinminer. The BlueVoyant Threat Fusion Cell team continuously investigates the threat landscape to identify unknown and emerging threats. They provided our SOC with a list of indicators and a detailed write-up on this new fileless attack. When our client was hit by this attack, we were ready. Our SOC analysts immediately removed the artifacts used to create persistence in the infected devices. They updated a specific NextGen AV policy to block Squiblydoo. Our SOC analysts detected and blacklisted the eight pieces of malware. They used EDR (Endpoint Detection and Response) to analyze behaviors, confirm the legitimacy of any PowerShell executions, and investigate process ancestry. This was a very advanced attack with many moving parts, requiring multiple security tools, threat intelligence and an expert SOC analyst team to detect, respond and mitigate. Share: Facebook Twitter LinkedIn Related reading Why Bluevoyant BlueVoyant – Microsoft Security Consulting Potential Career Paths November 29, 2021 BlueVoyant is always looking for people who are flexible, willing to tackle new technologies, explore, get their hands on the latest cybersecurity tools,… Read more Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
Why Bluevoyant BlueVoyant – Microsoft Security Consulting Potential Career Paths November 29, 2021 BlueVoyant is always looking for people who are flexible, willing to tackle new technologies, explore, get their hands on the latest cybersecurity tools,… Read more
Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more
Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
