March 22, 2017
TLP: WHITE | The NJCCIC assesses with high confidence that fileless and “non-malware” intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks to support ongoing espionage objectives or to enable future acts of sabotage. Furthermore, we assess most organizations are not currently equipped to defend against these tactics. The NJCCIC recommends all organizations reevaluate the capabilities and efficacy of their current cybersecurity technologies and processes, as well as their staffs, to ensure they are effectively managing and reducing the risk of data breaches and disruptive or destructive attacks conducted using fileless methods.
- While the definitions of fileless and non-malware are not yet universally agreed upon, and sometimes used interchangeably, fileless intrusions generally involve the injection of malicious code into a targeted system’s memory or registry and does not require the installation of any files on the system’s hard drive. Similarly, non-malware tactics—also labeled as “malware-free” or “malwareless”—involve embedding malicious code into legitimate software already present on the targeted system, such as web browsers or Microsoft Office programs, or exploiting legitimate tools or functions within the native operating system.
- Windows PowerShell and Windows Management Instrumentation (WMI) are two of the most commonly exploited operating system tools; they are found on an overwhelming majority of Microsoft Windows-based enterprises and widely used by system administrators to manage and automate tasks. Both can be manipulated by an unauthorized, remote threat actor to gain control of a system and steal, manipulate, or delete data. Mimikatz and Meterpreter are examples of fileless tools frequently used by malicious actors to compromise plaintext administrator credentials, escalate privileges, and establish control over a system to advance their objectives.
- According to Carbon Black, non-malware attacks leveraging PowerShell and WMI grew substantially in 2016, spiking 93.2 percent in the second quarter and growing to the highest level of the year in the fourth quarter. The hack of the Democratic National Committee, detailed in a report by CrowdStrike, is an example of PowerShell and WMI being used to establish persistence, move laterally within a network, and remain undetected.
To address the risk posed by fileless and non-malware tactics, organizations must first adopt a comprehensive cyber risk management framework and implement robust cybersecurity best practices and defensive measures, including, but not limited to, the bulleted items below. Additionally, organizations will need to employ enhanced logging, monitoring, and analysis of all network, host, and user activity to identify fileless tactics. To do so, enterprises may need to procure third-party products and managed services that include capabilities such as full system endpoint protection with memory and registry monitoring, behavioral analytics, next-generation firewalls, and email content inspection.
- Implement the Principle of Least Privilege for all user accounts and enable User Account Control (UAC).
- Regularly audit and verify all administrator accounts; remove those that are no longer required.
- Enforce a tiered administrative model with dedicated workstations and separate administrator accounts that are used exclusively for each tier to prevent tools, such as Mimikatz, from harvesting domain-level credentials.
- Instruct administrators to use non-privileged accounts for standard functions such as web browsing and email.
- Configure Group Policy to restrict all users to only one login session, where possible.
- Ensure your enterprise is running the latest version of PowerShell (version 5.1.14393), or disable the use of PowerShell if it is unneeded; enable enhanced logging features, including module and script block logging.
- Monitor both inbound and outbound network traffic for anomalies and proactively block known malicious IPs.
- Turn on and monitor event logging (applications, events, login activities, service creation, security attributes).
- Secure logs, preferably in a centralized location, and protect them from modification.
- If possible, configure system-wide transcription to send a log of all activity per user, per system to a write-only share and ingest the transcript text files into a centralized platform for regular analysis.
Traffic Light Protocol: WHITE information may be distributed without restriction.