Top 5: Things to know about fileless attacks
- Thread starter LASER_oneXM
- Start date
Interesting that WMI attacks are so big now. It used to be enough to block powershell.exe and you were pretty safe. I suspect that many of us are living in the past...
Indeed, I block both. Disabling WMI is a little inconvenient (crippled commands like taskkill), but otherwise, no real issues.
So which specific processes should be blocked, in order to control WMI?
Sorry, wrong wording. I only disable WMI service, it is only a partial protection against WMI attacks, going all the way would also require to disable Task Scheduler service, but that would cripple updating certificates and much much more.
Blocking all possibilities of using WMI by the attackers would be not very usable. Some WMI classes are not available when UAC is turned ON, so there is another reason for keeping it ON.
.
Most WMI attacks are performed via scripts/scriptlets/macros. So, the best method is disabling/restricting the above. This is also related to blocking active content in documents, etc.
Why not try to prevent scrcons.exe from connecting out?
Or else you can use CF and not worry about it...
Or else you can use CF and not worry about it...
OS Armor is also a good option to block fileless malware , see post which explains it
NoVirusThanks OSArmor
NoVirusThanks OSArmor
Blocking scrcons.exe (WMI Standard EventConsumer - scripting application) can help in some cases - such script attack method is hard to detect (used by the attackers in the wild). One can also prevent payload execution from the script by blocking process execution from WmiPrvSE.exe (like in NVT OSArmor). But there also some other WMI methods left.
The more comprehensive solution will be for sure Comodo Firewall (or another good default-deny protection).
The more comprehensive solution will be for sure Comodo Firewall (or another good default-deny protection).
Last edited:
(or another good default-deny protection).
Right. As @Andy Ful has explained many times, SRP covers all this and more.
SRP can be used in a wide spectrum of restrictions. It can be applied as a prophylactic solution up to highly restricted one (unusable for most users) - too much medicine is not healthy.
Using basic SRP settings as a backup for a free AV (Defender, Avast, etc.) is a good solution.
Comodo Firewall is another example - using HIPS + Firewall + Sandbox with some advanced settings, could probably stop all malware in the wild (except kernel exploits). But, in the end, no one uses Comodo Firewall in this way.
The most promising solution is keeping the balance between the level of security, knowledge and healthy habits.
Using basic SRP settings as a backup for a free AV (Defender, Avast, etc.) is a good solution.
Comodo Firewall is another example - using HIPS + Firewall + Sandbox with some advanced settings, could probably stop all malware in the wild (except kernel exploits). But, in the end, no one uses Comodo Firewall in this way.
The most promising solution is keeping the balance between the level of security, knowledge and healthy habits.
Appguard or VS are also useful against fileless attacks
AppGuard is SRP + light Sandboxing (guarded applications), so is useful against all kinds of malware.
VoodooShield is Anti-Exe + some other smart functions (like MS Office application anti-exploit), and can also prevent most fileless attacks. Both are smart default-deny solutions.
.
But, home users should know, that in the home environment, 99% of the fileless attacks, start in fact from:
- some malicious files (with embedded active content) that users downloaded to the disk. The common infection vector is via e-mail document attachments (DOC, RTF, PDF, etc).
- malicious websites + exploited web browser.
- opening unsafe documents with blocked active content (protected view),
- adopting secure DNS, Ad-blocker, anti-phishing,
- using web browser with a good sandbox (Edge, Chrome) or protecting web browser by sandboxing application (ReHIPS, Sandboxie),
- using anti-spam filters,
- using TBC (Think Before Clicking) to avoid CAC (Cry After Clicking)
- etc.
Last edited:
I know well everything else you said. But is there a specific software for this? I doubt it has yet been invented. Unfortunately ... I do not think so. The basics of education are lacking.
@Andy Ful
You are definitely right. But do you know someone who reads the instructions of household appliances, the dosage of medicines, Ikea instructions? Do you really think they are reading MT or WS? If it were for me, I would put it as a lesson at school.
You are definitely right. But do you know someone who reads the instructions of household appliances, the dosage of medicines, Ikea instructions? Do you really think they are reading MT or WS? If it were for me, I would put it as a lesson at school.
That is right, if we are talking about the average users. Security issues are completely abandoned in teaching the Informatics and computer corporation training.
You may also like...
-
Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates- Started by Brownie2019
- Replies: 1
-
Malware bypassed macOS Gatekeeper by abusing Apple's notarization proccess- Started by enaph
- Replies: 1
-
The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing- Started by harlan4096
- Replies: 3
-
-
