Yes, we get it. The term “fileless” is really confusing. Without any files? Without any source!? What? But what it actually refers to is malicious code that subsists only in the memory of the target, instead of installing the malware in the hard drive of the target computer.
SAM IT Solutions made it easy to understand exactly what Fileless malware is – please refer to the previous blog which will make it easy to understand the following points:
- What is Fileless Malware?
- The process of Fileless malware
- How it is different from other malware?
- Most importantly, why is it difficult to detect?
The below guide is especially helpful with attacks such as WannaMine and Mimikatz. Let’s get started!
1. The first step is to verify there is an issue. Check task manager to see if any native system resources are hogging an unreasonable amount of CPU (i.e. PowerShell is using 90% of the CPU). If so, update Windows with the appropriate patch found at the following link to plug the EternalBlue vulnerability: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010#security-update-for-microsoft-windows-smb-server-4013389
Once patched, continue to the next steps.
2. Download Microsoft Safety Scanner (as this is the anti-virus/anti-malware that has had the most success in detecting/removing it) and run a Quick Scan. If a Quick Scan does not find/remove it, run a Full Scan. Even if a Full Scan is able to find and remove it, let’s continue on to the next steps to see if anything else might be lurking.
Download link: https://www.microsoft.com/en-us/wdsi/products/scanner
3. Update PowerShell to v5 by downloading and applying the Windows Management Framework 5.1 found here: https://www.microsoft.com/en-us/download/details.aspx?id=54616
This is only applicable on the following systems and is by default already installed on Windows Server 2016 and Windows 10 and newer:
- Windows 7 SP1
- Windows 8.1
- Windows 2008 R2 SP1
- Windows Server 2012
- Windows Server 2012 R2
Once installed, restart the system and continue to the next step.
4. Enable ConstrainedLanguage by opening Registry Editor and adding the following Registry String in HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment
Registry String Value: __PSLockdownPolicy
*Note: Those are two underscores before PSLockdownPolicy, do not forget them.
**For more information about ConstrainedLanguage, see the following link: https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/
5. Next, disable PowerShell v2 as this can be used to bypass what we just set up, without even having to use administrative privileges. Run PowerShell as administrator and execute the following command:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
6. Additionally, we need to identify what is running the command that’s causing all the problems. Do this by downloading WMILister which searches for bad scripts: https://samitsolutions.com/files/public/WMILister.vbs
7. Open an elevated PowerShell (Run as Administrator) and change directory into the folder that WMILister was downloaded into:
Now execute the following command to perform the search:
cscript //nologo WMILister.vbs
8. After some time, up to a couple of minutes later, you will see output within the window and be requested to remove any scripts, if any are found. Review the output, as you may have legitimate WMI scripts. If it is not legitimate, go ahead and remove with the script.
9. Restart the machine one more time and you’re done!
Credit for WMILister goes to, to the best of my knowledge, JamesR over at ESET!
If you find yourself dealing with one of these pesky malware, and are unable to remove, feel free to reach out to our team of cybersecurity experts at SAM IT Solutions. We are just a phone call (or e-mail) away. You can reach us at +1-919-800-0044 or by email at [email protected]
Chief Operations Officer
SAM IT Solutions