Exam 312-50v13 topic 1 question 33 discussion

File-less Malware - AV tools are unable to find

Abnormal traffic is detected at night (data exfiltration). Antivirus tools detect nothing. IDS/IPS systems don’t flag any non-whitelisted programs. Everything appears normal, but something is clearly wrong. This suggests the attacker used malware that doesn’t leave traditional file footprints — a key characteristic of file-less malware.

Fileless malware are associated with "live off the land" intrusions, which utilize whitelisted applications, for example powershell, to avoid detection. Also, they can employ malware in techniques that aren't stored to disk, only run in memory, like a remote execution of Powershell scripts like invoke-mimikatz to harvest credentials. These are not "zero day" malware, since they are either 1. legitimate tools being abused, 2. known malware running in memory.

We have two criteria: - AV tools are unable to find any malicious software This could apply to both a file-less (in-memory) malware and zero-day malware. - the IDS/IPS has not reported on any non-whitelisted programs The wording seems to indicate that this is a host-based IDS/IPS that links packets to processes and their executable files and then reports if any non-whitelisted executable sends packets. For a file-less malware the executable would be <empty> which is most certainly not whitelisted. A zero-day malware could simply embed itself into an already whitelisted executable (e.g. chrome.exe) and would not trigger an alert. Therefore: B

File-less malware is a type of malicious software that operates without relying on traditional files. Instead of installing executable files, file-less malware typically exploits system vulnerabilities or runs in-memory, often through scripting languages or legitimate system tools. Because it doesn't rely on files, it can bypass traditional antivirus (AV) tools and application whitelisting mechanisms that focus on detecting file-based threats. In this case, the fact that AV tools couldn't detect any malicious software and the IDS/IPS didn't flag any non-whitelisted programs suggests that the malware did not rely on traditional files but instead operated directly in memory, making it difficult to detect and block.

Zero day because not recognized bypass all detections

Malware wasn't recognised by any AV or IPS/IDS. File-Less malware exfiltration can be detected with IPS