In-memory attacks are silently effective and unusually hard to spot. Because they leave little trace and ride on trusted processes, they can easily bypass antivirus tools and move laterally at alarming speed.
Unfortunately, this can result in anything from breached customer records to disrupted operations. Understanding how these attacks behave is the first step toward stopping them.
What Is an In-Memory Attack
An in-memory cyberattack is a hacking method where malicious code runs only in a computer’s short-term memory, called random-access memory (RAM). RAM stores the data and instructions a system is actively using, and it disappears when the device restarts or shuts down. Because the attack never saves harmful files to the hard drive, it leaves few traces behind, making it harder for traditional antivirus tools to detect.
Examples of in-memory attacks include:
- Reflective dynamic link library (DLL) injection: Harmful code is loaded into another program’s memory space so it operates under the cover of that trusted program.
- Process hollowing: A legitimate program is started, but its memory is replaced with malicious code while keeping the program’s outward appearance intact.
- Script-based payloads using PowerShell: Attackers use built-in scripting tools like PowerShell on Windows to turn harmful commands entirely in memory.
How They Differ From Traditional Malware
Traditional malware often needs files stored on a hard drive to work. Antivirus software can scan, quarantine or delete these files by using techniques to look for known patterns of malicious code. However, studies have found that roughly 78% of malware now evades signature-based detection due to several sophisticated methods.
In-memory attacks can take this further by avoiding disk storage altogether, making them even harder to catch. They typically leverage legitimate system tools to make activity look normal, allowing them to operate faster and stealthier than file-based threats.
The Top Defenses Against In-Memory Attacks
Defending against in-memory attacks means looking for malicious behavior inside the computer rather than scanning files on disk — tightening what code can run, making the system harder to exploit and using tools that watch how programs behave. Here are the top steps teams should take.
1. Harden Endpoints With EDR Solutions
An endpoint detection and response (EDR) tool is a security agent that watches what programs do on each device. Use a modern solution that includes memory and runtime projection. This will allow it to stop malware from running in RAM.
These tools look for suspicious behavior, like one program suddenly injecting code into another. Deploy EDR across all endpoints, enable its real-time memory protections and configure automatic containment when it detects abnormal process actions. When teams employ EDR with behavior and memory-focused defenses, they turn each endpoint from a blind spot into an active defender.
2. Enforce Least Privilege and Strong Authentication
Limit who can do what. Give people and programs only the access they need, so a stolen account cannot open every door on the network. Enable strong login methods like multi-factor authentication (MFA), which asks for a second proof of identity beyond a password. Also, IT personnel should remove local admin rights from regular users.
Weak, reused or stolen passwords are a huge factor in breaches, as one analysis put that problem at nearly the 80% range for hacking-related activities. Therefore, rotating and vaulting service credentials is essential. Using a password manager also helps people and apps avoid reusing weak passwords.
3. Application Allowlisting or Code Signing
Application allowlisting means keeping a short list of programs allowed to run on a computer and blocking everything else. Code signing is a way to prove a program came from an actual developer, so systems can reject unsigned or altered files.
Together, these controls reduce the places an attacker can drop or launch malicious code, making it much harder for unknown tools or scripts to run in memory. However, they won’t stop every in-memory trick, as some attacks inject themselves into already-approved programs. So pairing allowlisting and signing with runtime protection and monitoring is key.
4. Enable OS Mitigations
Turn on the operating system’s memory protections, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and exploit-mitigation features. These OS-level mitigations make it harder for attackers to guess where code or libraries live in RAM or run injected code.
A large share of serious bugs are memory-safety issues. Industry reports have found that about 67% of zero-day vulnerabilities in 2021 were memory-safety related. For example, Microsoft’s “exploit protection” bundles many of these mitigations on Windows, which it centrally enables for the OS and individual apps. Use those settings, turn on mandatory ASLR and DEP where available, and turn on firmware protections to raise the cost of successful in-memory exploits.
5. Limit Living-Off-The-Land Tool Abuse
Since a computer’s tools are already trusted, attackers will exploit them. To stop that, lock down which tools can run and how they run. Use application-control tools that only allow approved programs to run and require scripts to be signed.
Put PowerShell into Constrained Language Mode, a safer setting that blocks risky commands. Then, enable PowerShell logging so every script is recorded and sent to the security information and event management (SIEM) software. Next, turn on Antimalware Scan Interface (AMSI) to inspect scripts and code that run in memory. These steps make it much harder for attackers to hide in memory.
Make In-Memory Attacks Harder to Pull Off
In-memory attacks easily slip past file-scanning defenses, but they’re not unbeatable. Prioritize a mix of different strategies to prevent it from happening. Together, these steps make attacks slower, noisier and far easier to stop.
As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.
.
.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.