# Fileless Malware Detection API Reference ## Windows Event IDs for Fileless Detection | Event ID | Log | Description | |----------|-----|-------------| | 4104 | PowerShell Operational | Script Block Logging (full script content) | | 4103 | PowerShell Operational | Module Logging | | 1 | Sysmon | Process Creation with command line | | 8 | Sysmon | CreateRemoteThread (injection) | | 10 | Sysmon | ProcessAccess (injection prep) | | 19/20/21 | Sysmon | WMI Event Filter/Consumer/Binding | | 7045 | System | New service installed | ## python-evtx - Parse Windows Event Logs ```python import Evtx.Evtx as evtx with evtx.Evtx("Security.evtx") as log: for record in log.records(): xml = record.xml() if "4104" in xml: print(record.timestamp(), xml[:500]) ``` ## Volatility 3 Commands ```bash # Detect injected code (RWX memory, PE headers in non-image VADs) vol3 -f memory.dmp windows.malfind # List processes vol3 -f memory.dmp windows.pslist # Scan for hidden processes vol3 -f memory.dmp windows.psscan # List loaded DLLs vol3 -f memory.dmp windows.dlllist --pid 1234 # Extract injected code vol3 -f memory.dmp windows.malfind --dump --pid 1234 ``` ## LOLBins Detection Patterns (Sysmon) ```xml mshta.exe regsvr32.exe certutil.exe wmic.exe cmstp.exe msbuild.exe ``` ## Suspicious PowerShell Indicators ``` -enc / -EncodedCommand → Base64-encoded command IEX / Invoke-Expression → Dynamic code execution Net.WebClient → Download cradle DownloadString() → Remote script fetch Reflection.Assembly → Reflective .NET loading VirtualAlloc → Shellcode allocation FromBase64String → Payload decoding ``` ## WMI Persistence Check ```powershell # List WMI event subscriptions Get-WMIObject -Namespace root\Subscription -Class __EventFilter Get-WMIObject -Namespace root\Subscription -Class __EventConsumer Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ```