G O A L : G A I N A C C E S S
The attacker gains remote access to
the victim’s system, to establish a
beachhead for his attack.
0 1
G O A L : S T E A L C R E D E N T I A L S
Using the access gained in the previous step, the attacker now tries to obtain credentials for the environment he has
compromised, allowing him to easily move to other systems in that environment.
0 2
T E C H N I Q U E : R U N A P O W E R S H E L L S C R I P T T O D U M P C R E D E N T I A L S , E . G . M I M I K A T Z .
G O A L : M A I N TA I N P E R S I S TA N C E
Now, the attacker sets up a backdoor that will allow him to return
to this environment at will, without having to repeat
the initial steps of the attack.
0 3
T E C H N I Q U E : U S E S F I L E S Y S T E M A N D B U I LT - I N C O M P R E S S I O N U T I L I T Y T O G A T H E R D A T A , T H E N U S E S F T P T O U P L O A D T H E D A T A .
T E C H N I Q U E : M O D I F I E S R E G I S T R Y T O C R E A T E A B A C K D O O R E . G . S T I C K Y K E Y S B Y P A S S .
G O A L : E X F I LT R AT E D ATA
In the final step, the attacker gathers the data he wants and prepares it for exfiltration, copying it in one location and then compressing it using
readily available system tools such as Compact. The attacker then removes the data from the victim’s environment by uploading it via FTP.
0 4
T E C H N I Q U E : R E M O T E LY E X P L O I T A V U L N E R A B I L I T Y A N D U S E W E B S C R I P T I N G F O R R E M O T E A C C E S S , E . G . C H I N A C H O P P E R .
HOW AN END-TO-END FILELESS ATTACK TAKES PLACE
To explain how fileless attacks work, this infographic illustrates a real-world fileless intrusion uncovered
by the CrowdStrike Services incident response (IR) team. See how a skillful adversary can avoid detection
and conduct a successful attack without writing malicious executable files to disk.
FOR EACH STEP OF THE ATTACK, THE ADVERSARY HAS THREE ELEMENTS: A GOAL, A TOOL AND A TECHNIQUE
78%OF ORGANIZATIONS
ARE CONCERNED WITH
FILELESS ATTACKS* 83%OF SECURITY PROFESSIONALS
WANT MORE INFORMATION
ABOUT FILELESS ATTACKS**
CrowdStrike Falcon® endpoint protection prevents and detects fileless attacks and other advanced threats via a single lightweight agent.
Visit the CrowdStrike website at www.crowdstrike.com
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CONFIDENTIAL - DO NOT DISTRIBUTE.
3 K E Y TA K E A W A Y S
1 - T H E T H R E A T O F F I L E L E S S A T T A C K S I S R E A L
2 - T R A D I T I O N A L D E F E N S E S C A N N O T S T O P F I L E L E S S A T T A C K S
3 - S E C U R I T Y T E A M S N E E D T O T H I N K B E Y O N D M A LW A R E A N D F O C U S O N S T O P P I N G T H E B R E A C H
L E A R N M O R E :WATCH AN ON-DEMAND VIDEO: Understanding Fileless Attacks and How to Stop Them
READ THE WHITE PAPER: Who Needs Malware? How Adversaries Use Fileless Attacks to Evade Your Security
VISIT OUR WEBSITE to learn how the CrowdStrike Falcon Platform‰
prevents and detects fileless attacks with a single lightweight agent
*ESG TRENDS IN ENDPOINT SECURITY SURVEY 2017 **CROWDSTRIKE FILELESS WEBCAST SURVEY