Hey guys, looking into Fileless Malware, I can't find any details how exactly the malware is downloading powershell if it is not present on the victim's system ? The second question would be how to prevent this. Thanks guys, Regards
https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf https://us.norton.com/internetsecurity-malware-what-is-fileless-malware..html https://www.varonis.com/blog/fileless-malware/ https://www.pandasecurity.com/en/mediacenter/malware/powershell-fileless-malware-attack-vector/ https://lifars.com/2020/11/what-is-fileless-malware-how-does-it-work/ https://bensanchez.jp/fileless-malware-obfuscating-malware-using-powershell-scripts/ https://securityintelligence.com/news/fileless-malware-loaded-into-memory-via-powershell/ https://www.cybereason.com/blog/fileless-malware https://www.malwarefox.com/fileless-malware/ https://techtalk.pcmatic.com/2017/06/15/fileless-malware-explained/ im actually gonna read this myself when I got more time, just the top 10 results from search
Thanks Floyd, I've already read quite a few of these articles but didin't find an answer to my question, hence asking here. They usually just say that the malware is downloading powershell, but not exactly how it's done. Would a HIPS catch this ? Do they use BITS ? Can't find any details.
It only does so if PowerShell is not installed. It downloads like any other malware downloads a file. Since its a trusted Microsoft process, no SmartScreen alert when run or alerts from AV's either. In most cases, PoweLiks will download PowerShell 2.0. However, it will only run by default on Win 7 since it requires .Net 2.0 or 3.5 to be installed. By default, neither .Net version is installed in Win 10. The problem is Win 10 will auto install either .Net ver. if an app requires it. In reality, malware doesn't need the Powershell .exe at all. It will just run its sub-assemblies via .Net interface.
Thank you itman for the explanation ! Wouldn‘t this download trigger a good and properly configured HIPS/Firewall ?
As a rule, your AV should be scanning anything downloaded and stored on the disk. The problem with a nefarious Powershell 2.0 download, it is can be written to any folder and run from that folder. The only product that can block a Powershell 2.0 download executing from anywhere is OSArmor. Most HIPS's require that the full path be specified when monitoring a given app startup.
For an interesting read on how to bypass PowerShell execution blocking, scroll down to this section: in this article: https://www.infosecmatter.com/19-ways-to-bypass-software-restrictions-and-spawn-a-shell/ . Thankfully, most but not all of these require .Net 2.0 or 3.5 to be installed.
