Hi Everyone, Wonder what everybody is doing regarding fileless attacks? See coverage : https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/ https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/
I have disabled WSH and removed powershell, that should take care of it. SmadAV has got the same idea.
VooDooShield would prevent powershell to run and Comodo would run it virtualized, since the father process is unknown
Overall, I will say this about fileless malware. There are two phases to it. Phase 1 is the payload download and resultant execution in memory of it. The payload download can be accomplished through multiple ways currently in existence that malware does so. The current preferred method by this malware is through use of phishing e-mails or exploiting an existing OS or app software vulnerability. Almost all the e-mail attacks require the user to open an attachment, click on an infected embedded link, etc.. Also many of these email attacks require the target to disable existing e-mail protections such as opening a Word or .pdf document outside of protected mode, enabling macro or VBA script execution, etc.. Exploit prevention can be had by first, keeping all OS and app software up to date with all available patches applied and second, by employing anti-exploit security software. Additional protections are sandboxing Internet facing apps such as browsers, pdf readers, etc.. Phase 2 is the persistence phase where the malware runs at each subsequent machine startup. This phase does require the malware to store data on the OS installation medium. At the minimum, OS registry modification is required. Although conventional security software should be able to detect this activity, the problem is the malware by this time is well entrenched in the system. As such, it can employ an arsenal of attack strategies to avoid disk activity detection such as using legit Windows OS processes to perform the activity. You want to stop fileless malware prior to payload execution. Once the payload successfully runs, it is a downhill losing battle thereafter. -EDIT- As far as fileless malware protection, a large percentage of fileless malware employ scripts. Short of outright blocking/monitoring of Powershell, Java, and Window's scripts as many Wilders members do, your best protection is to upgrade to Win 10 if not already done so. Win 10 employs the Anti-malware Scan Interface i.e. AMSI to monitor the execution of packed and obfuscated malware scripts. Windows Defender on Win 10 uses AMSI by default. If you use a third party AV solution, ensure it also deploys AMSI. Additionally, the third party AV solution should employ advanced memory scanning i.e. AMS features that allow it to monitor process execution. Since AMS is post execution monitoring, there is always a chance of partial malware infection but the degree of this will be limited in scope and can be usually easily remedied after malware termination by the AV solution.
Hi, I think I'll block script engines like others do. powershell.exe powershell_ise.exe wscript.exe cscript.exe mshta.exe ScriptRunner.exe (only on Win 10 Pro)
Hi boredog, I block them using Software Restriction Policy on Win 10 Pro, and Simple Software Restriction Policy on Win 10 Home. (SSRP is a free application ) . But just stating the EXE name, and not a path, you block both 32bit and 64bit where ever they reside.
What is this? does it cover both the sys32 folder and the syswow64 folder for the same exe's? Currently I use Appguard for these exe's.
"Simple Software-Restriction Policy - A security enhancement for Windows XP, 7, 8, 10 (Home or Pro)" http://iwrconsultancy.co.uk/softwarepolicy https://www.wilderssecurity.com/thr...-policies-on-any-windows-edition-free.359155/
may i suggest Hard_Configurator_3.0.0.1.zip over ssrp? Program Web Page: GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS
SSRP or Hard Configurator isn't needed when you use Appguard; Appguard does the same but simpler and has additional strong features like Memory Guard.