What is a “non-malware” attack?

Image Source: https://www.firstclassassignment.com/value-risk-finance/

A non-malware attack is an attack that does not use malware. Simple.

More realistically, a non-malware attack is one in which an attacker uses existing software or allows (remote access) applications and authorized protocols (e.g., RDP, ssh, etc.) to carry out malicious activities on your network.

In a non-malware attack, the threat actor uses the accessible software to gain entry into the targeted network, control the victimized computers and from this point perform any sort of nefarious actions all within “full view” of all security safeguards.

These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that will eventually lead to your valuable data. With a non-malware attack, the victim has built into their traditional business model all the tools and access the threat actor needs to have to be successful. Yes, you could have made the bad-guy successful.

Without proper monitoring, the victim has, with legitimate business software (e.g., PowerShell, UltraVNC, TeamViewer, DesktopNow, etc.)[1], opened the front door to their kingdom and welcomed the threat actor with a big, warm hug and a hot cup of coffee.

In a recent Carbon Black report[2] they make note that; “Virtually every organization included in this research was targeted by a non-malware attack in 2016.” Furthermore, in the same report, Carbon Black also states there has been a +92% increase in non-malware based attacks for 2016.

The Carbon Black report says common types of non-malware attacks researches reported seeing and the percentage that saw them were: remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).[3]

Remember, I am not saying that any of these remote access utilities do not have a legitimate use. What I am pointing out is that non-malware remote access utilities, properly managed and not used in an ad-hoc fashion, can be very useful. However, after you add in the hubris of the Human Element (HE), this is hardly ever the case and security professionals are left scrambling to identify authorized vs. unauthorized use and access which is quite time-consuming.

What makes a non-malware attack work?

What makes a non-malware attack so successful? The answer is simple, we give the threat actor all the tools they need to be successful. We (the royal “we”) fully equip the threat actor with all the necessary tools and access simply by doing our normal daily activity and business.

Some of the more famous non-malware attacks or attack trends include the attack against the Democratic National Committee (DNC) and the “PowerWare”[4]  campaign tracked by the Carbon Black teams.

Remember, the basis of a non-malware attack is to gain a toe-hold with little threat of detection. From this point, the threat actor determines how to promulgate the attack internally.

Why are non-malware attacks so hard to prevent and detect?

Traditional security approaches in detecting non-malware (malicious) attacks will probably be 100% ineffective. This is because traditional security platforms and most modern security platforms were not designed to detect non-malware attacks in mind.

In addition to GuidePoint’s IR experiences, Carbon Black[5] has performed extensive research on non-malware based attacks, and has provided their findings in {https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/}. Unfortunately, traditional antivirus (A/V) is ineffective in detecting non-malware based attacks, and security professionals should consider the use of technologies that incorporate Artificial Intelligence (AI), Machine Learning (ML), and User and Entity Behavior Analytics (UEBA) to effectively thwart non-malware based attacks.

Traditional A/V was never designed to detect non-malware attacks. They are basically designed as a signature-based threat detection platform that typically only monitors when a known malware signature has been written to disk. Non-malware based attacks are not identified as malware.

Image Ref: www.carbonblack.com

“AI and ML’s roles in preventing cyberattacks have been met with both hope and skepticism. They have been marketed as game-changing technologies though doubts still persist, especially when used in siloes. Their emergence is due largely to the climbing number of breaches, increased prevalence of non-malware attacks, and the waning efficacy of legacy antivirus (AV)”.[6]

Real-World Example

In one real world example, of a non-malware attack the GPS/DFIR team responded to a customer request to analyze some anomalous network activity their security team had been witnessing for a couple of months (yes, months).

The Incident Responders were able to monitor an initial select set of endpoints and network segments.  Soon the GuidePoint Security Digital Forensics & Incident Response (GPS/DFIR) team identified the fact that no remote access malware was present and that network/system access was gained through compromised accounts via non-malware attack.

This was a complex DFIR investigation that involved multiple security and forensic disciplines, 24/7 monitoring of all network segments and an enterprise wide deployment with high fidelity endpoint sensors.  Also, customized onsite databases had to be designed so that all sensor data could be aggregated and analyzed in near-real-time.

The end result was a lengthy engagement with multiple forensic responders chasing and tracking the threat actor inside a global network.  The threat actor was using non-malware techniques, system administration tools and a variety of security tools to compromise user accounts, escalate privileges, access systems and exfiltrate data for profit.

Defense for non-malware based attacks

Remember, non-malware attacks will use legitimate software to perform malicious activity.  However, fielding a proper, holistic security strategy that encompasses enterprise level end point and UEBA advanced analysis that enables your overall investigative, cyber-hunt and security strategy should be carefully considered.

GPS/DFIR has a track record of investigating and analyzing such non-malware based attacks and with the combined strategic arm of GuidePoint’s security experts and knowledge of the security platforms available, we can help define the best short-term and long-term security roadmap for your organization.

As a basic defense, there are some “snap-shot” remedies that can be easily implemented:

  • Allow few (justified) remote access applications to be used (e.g., Windows RDP, TeamViewer, etc.) in your environment on your systems.  Ensure all remote access requires multi-factor authentication.
  • Because some applications can be manipulated and replaced it is important to have forensically hashed versions identified
    • Share those authorized forensic hash values with your security and IR teams
    • Place the authorized hash values into any white listing or AV applications
  • Only allow a pre-defined group of employees with a legitimate business need to use the remote access applications
  • Identify to your internal security and IR teams the list of who is authorized to use the remote access software
  • Have employees read and sign an “Acceptable Use” policy for the software or applications
  • Develop internal security alerts and rules that identify anomalous behavior and/or connections and alert/respond to those “out of parameter” activities
  • Educate your employees as to the vulnerabilities of such applications
  • Incorporate all non-malware investigative and response activities into your IR plans and run-books

The first line of defense in any effective security organization is the Human Element (HE). With proper education and training, employees can and do typically provide significant feedback as to unusual or questionable behavior.  So, open lines of communication within all business units can only benefit the entire security posture of your organization.


In conclusion, as in the real-world example, forensic analysis validated this particular threat actor using a non-malware attack method was active on this global network for over two years.  Essentially, most of their malicious activity was completely cloaked within the victim’s daily business activity and they were able to work autonomously.

This real-world example is being played out every day in companies all over the globe.  And as GPS/DFIR witnessed in this example, talented security teams recognized the threat but also realized their own team’s limitations and asked for outside help.

Non-malware attacks will never go away, rather we strongly believe that they will only increase in count and complexity and we strongly recommend that you ensure your organization is prepared to deal with this growing threat.

[1] https://www.lifewire.com/free-remote-access-software-tools-2625161

[2] https://cdn.www.carbonblack.com/wp-content/uploads/2017/04/Carbon_Black_Threat_Report_Non-Malware_Attacks_and_Ransomware_FINAL.pdf

[3] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[4] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[5] www.carbonblack.com

[6] https://www.carbonblack.com/2017/03/28/beyond-hype-security-experts-weigh-artificial-intelligence-machine-learning-non-malware-attacks/


Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence at GuidePoint Security, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.