Memory-Based Attacks are on the Rise: How to Stop Them

You may have heard a lot lately about memory-based attacks, fileless attacks, and living-off-the-land attacks. If so, that is excellent that you are staying up to date. These are all also referring to the same thing. As the name suggests, this is an attack on the system’s memory, which can include the ROM or RAM.

Attackers are increasingly using this type of attack because it works. It is less detectable by antivirus (AV) engines and even by some next-gen AV solutions. Because of this, the adversaries using this technique are more likely to succeed in their mission, which is to steal your stuff – whether it be credentials, trade secrets, or your computing resources.

The way this type of attack works is that it focuses on getting instructions in or data out of the memory, rather than traditional focus areas, such as the disk file directories or registry keys. The way these attacks are typically carried out is as follows:

  • Step 1: A script or file gets onto the endpoint. It evades detection because it looks like a set of instructions instead of having typical file features.
  • Step 2: Those instructions get loaded into the machine (we will explain where and how later).
  • Step 3: Once they execute, they are working using the system’s own tools and resources to carry out the attack.

A common example of this attack uses a combination of Word macros, Powershell, Meterpreter, and Mimikatz. These native tools, as well as web applications, run in memory and have a high level of execution rights.

What happens is that a user will receive a Word document containing macros via email, which they will be asked to enable after they open the document. The macros’ instructions then reach out to a Command and Control (C2) server to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Josh Fu. Read the original post at: