The Challange
- The malware used in these attacks frequently do not write to disk in order to bypass traditional file-based protections such as AV scanners.
- They live in your computer’s memory where it is expensive to scan, and may persist in alternative locations such as registry hives or Windows Management (WM)Store.
- They may use processes that are native to the operating system you are using in order to carry out the attack or so-called ‘dual-use’ or ‘living off the land’ techniques.
- Dual Use tools are often overlooked by defenders when hardening their systems and missed by app-whitelisting tools.
- They are frequently paired with other malicious objects such as malicious JavaS cript™ or malicious Office™ macro’s because those scripts are easy to obfuscate and difficult to detect without generating unacceptably high false positive alerts.