<p>As perimeter defenses become increasingly robust, adversaries have pivoted toward “living-off-the-land” (LotL) techniques to evade detection. Fileless lateral movement–leveraging legitimate system tools such as PowerShell, Windows Management Instrumentation (WMI), and Remote Management (WinRM)–presents a significant challenge for traditional Endpoint Detection and Response (EDR) systems because it operates entirely within volatile memory, leaving no static footprint on the physical disk. This paper provides a rigorous taxonomy of fileless attack vectors and proposes a novel detection algorithm based on Probabilistic Graphical Models (PGMs) to identify anomalous behavioral patterns in administrative protocols. We conduct a comprehensive ablation study to determine the relative weight of volatile memory artifacts versus Remote Procedure Call (RPC) traffic patterns, identifying a crucial visibility gap in existing EDR telemetry. Our findings demonstrate that integrating memory entropy analysis with network flow monitoring increases detection rates by 23% over standard behavioral heuristics EDR. The paper culminates in a defense-in-depth mitigation framework that reduces the attack surface by enforcing strict session control over administrative trust relationships.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

The risk of fileless lateral movement and mitigation techniques

  • Jean Rosemond Dora,
  • Ladislav Hluchý,
  • Robert Andok,
  • Friday Ikechukwu Agu

摘要

As perimeter defenses become increasingly robust, adversaries have pivoted toward “living-off-the-land” (LotL) techniques to evade detection. Fileless lateral movement–leveraging legitimate system tools such as PowerShell, Windows Management Instrumentation (WMI), and Remote Management (WinRM)–presents a significant challenge for traditional Endpoint Detection and Response (EDR) systems because it operates entirely within volatile memory, leaving no static footprint on the physical disk. This paper provides a rigorous taxonomy of fileless attack vectors and proposes a novel detection algorithm based on Probabilistic Graphical Models (PGMs) to identify anomalous behavioral patterns in administrative protocols. We conduct a comprehensive ablation study to determine the relative weight of volatile memory artifacts versus Remote Procedure Call (RPC) traffic patterns, identifying a crucial visibility gap in existing EDR telemetry. Our findings demonstrate that integrating memory entropy analysis with network flow monitoring increases detection rates by 23% over standard behavioral heuristics EDR. The paper culminates in a defense-in-depth mitigation framework that reduces the attack surface by enforcing strict session control over administrative trust relationships.