G O A L : G A I N A C C E S S

The attacker gains remote access to

the victim’s system, to establish a

beachhead for his attack.

0 1

G O A L : S T E A L C R E D E N T I A L S

Using the access gained in the previous step, the attacker now tries to obtain credentials for the environment he has

compromised, allowing him to easily move to other systems in that environment.

0 2

T E C H N I Q U E : R U N A P O W E R S H E L L S C R I P T T O D U M P C R E D E N T I A L S , E . G . M I M I K A T Z .

G O A L : M A I N TA I N P E R S I S TA N C E

Now, the attacker sets up a backdoor that will allow him to return

to this environment at will, without having to repeat

the initial steps of the attack.

0 3

T E C H N I Q U E : U S E S F I L E S Y S T E M A N D B U I LT - I N C O M P R E S S I O N U T I L I T Y T O G A T H E R D A T A , T H E N U S E S F T P T O U P L O A D T H E D A T A .

T E C H N I Q U E : M O D I F I E S R E G I S T R Y T O C R E A T E A B A C K D O O R E . G . S T I C K Y K E Y S B Y P A S S .

G O A L : E X F I LT R AT E D ATA

In the final step, the attacker gathers the data he wants and prepares it for exfiltration, copying it in one location and then compressing it using

readily available system tools such as Compact. The attacker then removes the data from the victim’s environment by uploading it via FTP.

0 4

T E C H N I Q U E : R E M O T E LY E X P L O I T A V U L N E R A B I L I T Y A N D U S E W E B S C R I P T I N G F O R R E M O T E A C C E S S , E . G . C H I N A C H O P P E R .

HOW AN END-TO-END FILELESS ATTACK TAKES PLACE

To explain how fileless attacks work, this infographic illustrates a real-world fileless intrusion uncovered

by the CrowdStrike Services incident response (IR) team. See how a skillful adversary can avoid detection

and conduct a successful attack without writing malicious executable files to disk.

FOR EACH STEP OF THE ATTACK, THE ADVERSARY HAS THREE ELEMENTS: A GOAL, A TOOL AND A TECHNIQUE

78%OF ORGANIZATIONS

ARE CONCERNED WITH

FILELESS ATTACKS* 83%OF SECURITY PROFESSIONALS

WANT MORE INFORMATION

ABOUT FILELESS ATTACKS**

CrowdStrike Falcon® endpoint protection prevents and detects fileless attacks and other advanced threats via a single lightweight agent.

Visit the CrowdStrike website at www.crowdstrike.com

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CONFIDENTIAL - DO NOT DISTRIBUTE.

3 K E Y TA K E A W A Y S

1 - T H E T H R E A T O F F I L E L E S S A T T A C K S I S R E A L

2 - T R A D I T I O N A L D E F E N S E S C A N N O T S T O P F I L E L E S S A T T A C K S

3 - S E C U R I T Y T E A M S N E E D T O T H I N K B E Y O N D M A LW A R E A N D F O C U S O N S T O P P I N G T H E B R E A C H

L E A R N M O R E :WATCH AN ON-DEMAND VIDEO: Understanding Fileless Attacks and How to Stop Them

READ THE WHITE PAPER: Who Needs Malware? How Adversaries Use Fileless Attacks to Evade Your Security

VISIT OUR WEBSITE to learn how the CrowdStrike Falcon Platform‰

prevents and detects fileless attacks with a single lightweight agent

*ESG TRENDS IN ENDPOINT SECURITY SURVEY 2017 **CROWDSTRIKE FILELESS WEBCAST SURVEY