Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,164 @@
---
name: detecting-fileless-attacks-on-endpoints
description: >
Detects fileless malware and in-memory attacks that execute entirely in RAM without writing
persistent files to disk, evading traditional antivirus. Use when building detections for
PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident
malware. Activates for requests involving fileless malware detection, in-memory attacks,
PowerShell exploitation, or living-off-the-land techniques.
domain: cybersecurity
subdomain: endpoint-security
tags: [endpoint, fileless-malware, memory-attacks, PowerShell, detection-engineering]
version: 1.0.0
author: mahipal
license: MIT
---
# Detecting Fileless Attacks on Endpoints
## When to Use
Use this skill when:
- Building detection rules for fileless malware that operates entirely in memory
- Hunting for PowerShell-based attacks, reflective DLL injection, and WMI abuse
- Configuring endpoint telemetry (Sysmon, AMSI, PowerShell logging) to capture fileless indicators
- Investigating incidents where traditional AV found no malicious files
**Do not use** for detecting file-based malware or for malware reverse engineering.
## Prerequisites
- Sysmon with process creation and WMI event logging enabled
- PowerShell Script Block Logging and Module Logging enabled
- AMSI (Antimalware Scan Interface) enabled for script content inspection
- EDR with behavioral detection capabilities (MDE, CrowdStrike, SentinelOne)
## Workflow
### Step 1: Enable Required Telemetry
```powershell
# Enable PowerShell Script Block Logging (GPO or registry)
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
-Name EnableScriptBlockLogging -Value 1 -PropertyType DWORD -Force
# Enable PowerShell Module Logging
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" `
-Name EnableModuleLogging -Value 1 -PropertyType DWORD -Force
# Enable PowerShell Transcription
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" `
-Name EnableTranscripting -Value 1 -PropertyType DWORD -Force
# Sysmon config for fileless detection (key events):
# Event ID 1: Process creation (captures CommandLine)
# Event ID 7: Image loaded (DLL loading)
# Event ID 8: CreateRemoteThread (injection)
# Event ID 10: Process access (LSASS access)
# Event ID 19/20/21: WMI events
```
### Step 2: Detect PowerShell-Based Attacks
```
# Indicators of malicious PowerShell:
# Encoded command execution
EventID: 1
CommandLine contains: "powershell" AND ("-enc" OR "-e " OR "-encodedcommand" OR "FromBase64String")
# Download cradle patterns
CommandLine contains: "IEX" AND ("Net.WebClient" OR "DownloadString" OR "Invoke-WebRequest")
CommandLine contains: "Invoke-Expression" AND "New-Object"
# AMSI bypass attempts (Event ID 4104 - Script Block)
ScriptBlock contains: "AmsiUtils" OR "amsiInitFailed" OR "SetValue.*amsi"
# Splunk query for suspicious PowerShell:
index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsiutils)")
| table _time host ScriptBlockText
```
### Step 3: Detect Process Injection Techniques
```
# Reflective DLL injection - loads DLL from memory without touching disk
# Detection: Sysmon Event 7 (ImageLoaded) where image path is unusual
EventID: 7
ImageLoaded NOT starts with: "C:\Windows\" AND NOT starts with: "C:\Program Files"
# Process hollowing - creates process in suspended state, replaces memory
# Detection: Process creation followed by immediate memory write
EventID: 1 + 10 correlation
# Process created then accessed with PROCESS_VM_WRITE
# APC injection - queues code to thread's async procedure call queue
# Detection: Sysmon CreateRemoteThread from non-system process
EventID: 8
SourceImage NOT IN (known_legitimate_sources)
# MDE KQL:
DeviceEvents
| where ActionType in ("CreateRemoteThreadApiCall", "NtAllocateVirtualMemoryApiCall")
| where InitiatingProcessFileName !in ("MsMpEng.exe", "svchost.exe")
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName,
InitiatingProcessCommandLine, FileName
```
### Step 4: Detect WMI-Based Persistence
```
# Sysmon Event IDs 19/20/21 for WMI events
EventID: 19 # WmiEventFilter activity detected
EventID: 20 # WmiEventConsumer activity detected
EventID: 21 # WmiEventConsumerToFilter activity detected
# Any WMI event subscription creation is suspicious unless expected
# Common malicious WMI persistence:
Consumer contains: "CommandLineEventConsumer" OR "ActiveScriptEventConsumer"
# Query for WMI subscriptions via osquery or PowerShell:
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
```
### Step 5: Detect Registry-Based Execution
```
# Malware stored in registry values and executed via PowerShell
# Sysmon Event 13 - Registry value set with encoded content
EventID: 13
TargetObject contains: "CurrentVersion\Run"
Details: unusually long value or Base64-encoded content
# Detection query:
index=sysmon EventCode=13
| where match(Details, "[A-Za-z0-9+/=]{100,}")
| table _time host TargetObject Details Image
```
## Key Concepts
| Term | Definition |
|------|-----------|
| **Fileless Malware** | Malware that operates entirely in memory without writing executable files to disk |
| **AMSI** | Antimalware Scan Interface; Windows API allowing security products to inspect script content before execution |
| **Reflective DLL Injection** | Loading a DLL from memory rather than disk, avoiding file-based detection |
| **Process Hollowing** | Creating a legitimate process in suspended state and replacing its memory with malicious code |
| **Script Block Logging** | PowerShell logging feature that captures deobfuscated script content (Event ID 4104) |
## Tools & Systems
- **Sysmon**: Kernel-level process, DLL, and WMI monitoring
- **AMSI**: Windows script content inspection API
- **PowerShell Logging**: Script Block, Module, and Transcription logging
- **Microsoft Defender for Endpoint**: Behavioral detection for fileless techniques
- **Volatility 3**: Memory forensics for post-incident fileless malware analysis
## Common Pitfalls
- **Relying on file-based AV**: Traditional AV that scans files on disk will miss fileless attacks entirely. Behavioral detection and AMSI are required.
- **Disabled PowerShell logging**: Without Script Block Logging, deobfuscated PowerShell commands are invisible to defenders.
- **AMSI bypass not detected**: Sophisticated attackers bypass AMSI before executing payloads. Detect AMSI bypass attempts as a high-priority alert.
- **Not monitoring WMI events**: WMI persistence is a favored technique of APT groups. Sysmon events 19-21 must be enabled.
@@ -0,0 +1,19 @@
# Fileless Attack Detection Template
## Telemetry Status
| Source | Enabled | Event IDs |
|--------|---------|-----------|
| Sysmon | Yes/No | 1,7,8,10,19,20,21 |
| PowerShell Script Block | Yes/No | 4104 |
| AMSI | Yes/No | 1116 |
## Detection Rules
| Rule Name | Technique | SIEM Query | Status |
|-----------|-----------|-----------|--------|
| | T1059.001 | | Active/Draft |
## Sign-Off
| Role | Name | Date |
|------|------|------|
| Detection Engineer | | |
| SOC Lead | | |
@@ -0,0 +1,7 @@
# Standards & References
- **MITRE ATT&CK T1059.001**: PowerShell execution
- **MITRE ATT&CK T1055**: Process Injection (all sub-techniques)
- **MITRE ATT&CK T1546.003**: WMI Event Subscription persistence
- **MITRE ATT&CK T1620**: Reflective Code Loading
- **Microsoft AMSI Documentation**: https://learn.microsoft.com/en-us/windows/win32/amsi/
- **PowerShell Logging**: https://learn.microsoft.com/en-us/powershell/scripting/windows-powershell/wmf/whats-new/script-logging
@@ -0,0 +1,8 @@
# Workflows
## Fileless Attack Detection
```
[Enable telemetry (Sysmon, PS logging, AMSI)] → [Build detection rules per technique]
→ [Deploy rules in SIEM] → [Threat hunt for historical fileless indicators]
→ [Triage alerts] → [Investigate memory for confirmed incidents]
→ [Extract IOCs from memory analysis] → [Tune detections]
```
@@ -0,0 +1,55 @@
#!/usr/bin/env python3
"""Fileless Attack Detector - Scans PowerShell logs for fileless attack indicators."""
import json, csv, re, sys, os
from collections import Counter
from datetime import datetime
FILELESS_PATTERNS = {
"encoded_command": r"(?i)(-enc\s|-e\s|-encodedcommand|frombase64string)",
"download_cradle": r"(?i)(downloadstring|invoke-webrequest|net\.webclient|wget\s|curl\s)",
"amsi_bypass": r"(?i)(amsiutils|amsiinitfailed|amsi\.dll)",
"reflection": r"(?i)(system\.reflection|loadassembly|gettype.*invoke)",
"wmi_abuse": r"(?i)(win32_process.*create|wmiclass|managementclass)",
"credential_access": r"(?i)(mimikatz|invoke-mimikatz|sekurlsa|logonpasswords)",
"invoke_expression": r"(?i)(iex\s|invoke-expression)",
}
def scan_powershell_logs(csv_path: str) -> list:
detections = []
with open(csv_path, "r", encoding="utf-8-sig") as f:
for row in csv.DictReader(f):
script = row.get("ScriptBlockText", row.get("Message", ""))
for pattern_name, pattern in FILELESS_PATTERNS.items():
if re.search(pattern, script):
detections.append({
"timestamp": row.get("TimeCreated", row.get("Date and Time", "")),
"host": row.get("Computer", row.get("MachineName", "")),
"technique": pattern_name,
"script_excerpt": script[:300],
})
break
return detections
def generate_report(detections: list, output_path: str) -> None:
by_technique = Counter(d["technique"] for d in detections)
report = {
"report_generated": datetime.utcnow().isoformat() + "Z",
"total_detections": len(detections),
"by_technique": dict(by_technique),
"detections": detections[:100],
}
with open(output_path, "w") as f:
json.dump(report, f, indent=2)
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python process.py <powershell_logs.csv>")
sys.exit(1)
detections = scan_powershell_logs(sys.argv[1])
out = os.path.join(os.path.dirname(sys.argv[1]) or ".", "fileless_detection_report.json")
generate_report(detections, out)
print(f"Detections: {len(detections)}")