creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-fileless-attacks-on-endpoints/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

6.9 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf
name description domain subdomain tags version author license nist_csf
detecting-fileless-attacks-on-endpoints Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques. cybersecurity endpoint-security
endpoint
fileless-malware
memory-attacks
PowerShell
detection-engineering
1.0.0 mahipal Apache-2.0
PR.PS-01
PR.PS-02
DE.CM-01
PR.IR-01

Detecting Fileless Attacks on Endpoints

When to Use

Use this skill when:

  • Building detection rules for fileless malware that operates entirely in memory
  • Hunting for PowerShell-based attacks, reflective DLL injection, and WMI abuse
  • Configuring endpoint telemetry (Sysmon, AMSI, PowerShell logging) to capture fileless indicators
  • Investigating incidents where traditional AV found no malicious files

Do not use for detecting file-based malware or for malware reverse engineering.

Prerequisites

  • Sysmon with process creation and WMI event logging enabled
  • PowerShell Script Block Logging and Module Logging enabled
  • AMSI (Antimalware Scan Interface) enabled for script content inspection
  • EDR with behavioral detection capabilities (MDE, CrowdStrike, SentinelOne)

Workflow

Step 1: Enable Required Telemetry

# Enable PowerShell Script Block Logging (GPO or registry)
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
  -Name EnableScriptBlockLogging -Value 1 -PropertyType DWORD -Force

# Enable PowerShell Module Logging
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" `
  -Name EnableModuleLogging -Value 1 -PropertyType DWORD -Force

# Enable PowerShell Transcription
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" `
  -Name EnableTranscripting -Value 1 -PropertyType DWORD -Force

# Sysmon config for fileless detection (key events):
# Event ID 1: Process creation (captures CommandLine)
# Event ID 7: Image loaded (DLL loading)
# Event ID 8: CreateRemoteThread (injection)
# Event ID 10: Process access (LSASS access)
# Event ID 19/20/21: WMI events

Step 2: Detect PowerShell-Based Attacks

# Indicators of malicious PowerShell:

# Encoded command execution
EventID: 1
CommandLine contains: "powershell" AND ("-enc" OR "-e " OR "-encodedcommand" OR "FromBase64String")

# Download cradle patterns
CommandLine contains: "IEX" AND ("Net.WebClient" OR "DownloadString" OR "Invoke-WebRequest")
CommandLine contains: "Invoke-Expression" AND "New-Object"

# AMSI bypass attempts (Event ID 4104 - Script Block)
ScriptBlock contains: ("Amsi"+"Utils") OR ("amsi"+"InitFailed") OR "SetValue.*amsi"

# Splunk query for suspicious PowerShell:
index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsi.utils)")
| table _time host ScriptBlockText

Step 3: Detect Process Injection Techniques

# Reflective DLL injection - loads DLL from memory without touching disk
# Detection: Sysmon Event 7 (ImageLoaded) where image path is unusual
EventID: 7
ImageLoaded NOT starts with: "C:\Windows\" AND NOT starts with: "C:\Program Files"

# Process hollowing - creates process in suspended state, replaces memory
# Detection: Process creation followed by immediate memory write
EventID: 1 + 10 correlation
# Process created then accessed with PROCESS_VM_WRITE

# APC injection - queues code to thread's async procedure call queue
# Detection: Sysmon CreateRemoteThread from non-system process
EventID: 8
SourceImage NOT IN (known_legitimate_sources)

# MDE KQL:
DeviceEvents
| where ActionType in ("CreateRemoteThreadApiCall", "NtAllocateVirtualMemoryApiCall")
| where InitiatingProcessFileName !in ("MsMpEng.exe", "svchost.exe")
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName,
    InitiatingProcessCommandLine, FileName

Step 4: Detect WMI-Based Persistence

# Sysmon Event IDs 19/20/21 for WMI events
EventID: 19  # WmiEventFilter activity detected
EventID: 20  # WmiEventConsumer activity detected
EventID: 21  # WmiEventConsumerToFilter activity detected

# Any WMI event subscription creation is suspicious unless expected
# Common malicious WMI persistence:
Consumer contains: "CommandLineEventConsumer" OR "ActiveScriptEventConsumer"

# Query for WMI subscriptions via osquery or PowerShell:
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

Step 5: Detect Registry-Based Execution

# Malware stored in registry values and executed via PowerShell
# Sysmon Event 13 - Registry value set with encoded content
EventID: 13
TargetObject contains: "CurrentVersion\Run"
Details: unusually long value or Base64-encoded content

# Detection query:
index=sysmon EventCode=13
| where match(Details, "[A-Za-z0-9+/=]{100,}")
| table _time host TargetObject Details Image

Key Concepts

Term Definition
Fileless Malware Malware that operates entirely in memory without writing executable files to disk
AMSI Antimalware Scan Interface; Windows API allowing security products to inspect script content before execution
Reflective DLL Injection Loading a DLL from memory rather than disk, avoiding file-based detection
Process Hollowing Creating a legitimate process in suspended state and replacing its memory with malicious code
Script Block Logging PowerShell logging feature that captures deobfuscated script content (Event ID 4104)

Tools & Systems

  • Sysmon: Kernel-level process, DLL, and WMI monitoring
  • AMSI: Windows script content inspection API
  • PowerShell Logging: Script Block, Module, and Transcription logging
  • Microsoft Defender for Endpoint: Behavioral detection for fileless techniques
  • Volatility 3: Memory forensics for post-incident fileless malware analysis

Common Pitfalls

  • Relying on file-based AV: Traditional AV that scans files on disk will miss fileless attacks entirely. Behavioral detection and AMSI are required.
  • Disabled PowerShell logging: Without Script Block Logging, deobfuscated PowerShell commands are invisible to defenders.
  • AMSI bypass not detected: Sophisticated attackers bypass AMSI before executing payloads. Detect AMSI bypass attempts as a high-priority alert.
  • Not monitoring WMI events: WMI persistence is a favored technique of APT groups. Sysmon events 19-21 must be enabled.
Reference in New Issue View Git Blame Copy Permalink