deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

add figure numbers

Browse Source
This commit is contained in:
Joey Caparas 2018-09-14 15:07:46 -07:00
parent 39c6fc9992
commit 8e4fe7c63c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/intelligence/fileless-threats.md
View File

@ -20,7 +20,7 @@ Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK
To shed light on this loaded term, we grouped fileless threats into different categories. To shed light on this loaded term, we grouped fileless threats into different categories.
![Comprehensive diagram of fileless malware](images/fileless-malware.png) ![Comprehensive diagram of fileless malware](images/fileless-malware.png)
*Figure. Comprehensive diagram of fileless malware* *Figure 1. Comprehensive diagram of fileless malware*
First, we can classify the entry point (inner circle in the diagram), which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. First, we can classify the entry point (inner circle in the diagram), which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts.
@ -51,7 +51,7 @@ Its possible to carry out such installation via command line without requirin
Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
![Image of Kovter's registry key](images/kovter-reg-key.png) ![Image of Kovter's registry key](images/kovter-reg-key.png)
*Figure. Kovters registry key* *Figure 2. Kovters registry key*
When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.