Endpoint Standard: What does the TTP type FILELESS mean?
search cancel

Endpoint Standard: What does the TTP type FILELESS mean?

book

Article ID: 291917

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

What does FILELESS TTP mean?

Environment

  • CB Cloud: All Versions
  • Endpoint Standard: All Versions 

Resolution

The Fileless TTP is something that can apply to most script interpreters, such as Python, Powershell, Ruby, etc. Due to the wide range of interpreters, the details are necessarily different for each, but essentially we look for indicators of a command line execution of arbitrary input. For Powershell, -command is one such indicator.

Additional Information

Fileless behavior can be an indicator of compromise but also occurs in perfectly legitimate applications. If it is an on disk script subsequently performing fileless activity, this model is also common to malicious code. The TTP: FILELESS is appropriate in this case even though the script is not itself malicious.
Powered by Wolken Software