Attack vectors are getting more sophisticated every day. The significant increase in fileless based attacks is on the rise, with 77% of successful attacks now using fileless exploits (PeerLyst) to evade traditional signature based AntiVirus (AV) software. Fileless based PowerShell attacks are now the preferred weapon of choice for many of these attacks because it provides a number of techniques for bypassing existing security. Not least of all, the ability to run directly in memory and remotely download payloads.
Traditional security products cannot prevent PowerShell attacks because they use ineffective signature based techniques. Since the PowerShell is a core part of the operating system, can be easily obfuscated and bypasses application whitelisting, attack scripts can easily evade detection.
BlackFog provides protection from the following fileless PowerShell attacks:
We have discussed many of the techniques used by fileless PowerShell attacks, but how do they propagate within an organization? PowerShell attacks are normally used at the start of a new attack because they can go undetected. As such, they are most often used to launch a larger payload for an attack. They are most often encapsulated in email attachments with various extensions such as .wsf, .html, .pdf, .js or any office extension such as .pptx, xlsx etc.
Another common method of propagation is within Office macros. This is a very specialized technique because the macro itself does not actually contain the code itself, but can present in metadata such as table cells. This executes the command directly, so any macro scanning would not detect problems.
PowerShell attacks represent a large proportion of new fileless attack techniques. By default this option is enabled on all new BlackFog installs.