The Challange

  • The malware used in these attacks frequently do not write to disk in order to bypass traditional file-based protections such as AV scanners.
  • They live in your computer’s memory where it is expensive to scan, and may persist in alternative locations such as registry hives or Windows Management (WM)Store.
  • They may use processes that are native to the operating system you are using in order to carry out the attack or so-called ‘dual-use’ or ‘living off the land’ techniques.
  • Dual Use tools are often overlooked by defenders when hardening their systems and missed by app-whitelisting tools.
  • They are frequently paired with other malicious objects such as malicious JavaS cript™ or malicious Office™ macro’s because those scripts are easy to obfuscate and difficult to detect without generating unacceptably high false positive alerts.