Fileless Malware Detection: ETW, Memory Forensics, and Process Hollowing Indicators

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
When an attacker uses powershell.exe -EncodedCommand to execute a base64-encoded payload that reflectively loads a DLL into memory, calls WMI to spawn child processes, and persists via a Registry Run key pointing to a LOLBin: nothing writes a suspicious binary to disk. Traditional AV has nothing to scan. Detection requires a different model: behavioral telemetry from the OS itself about what code is executing, in which process context, with what parent lineage, and what memory regions contain executable code that did not come from a mapped file.
ETW: The Telemetry Foundation
Event Tracing for Windows (ETW) is the OS-level telemetry framework that exposes execution events from the kernel, the CLR (.NET runtime), PowerShell, WMI, and other subsystems. EDRs and SIEMs that detect fileless malware all consume ETW at their foundation.
Enable PowerShell Script Block Logging and Module Logging
Script Block Logging logs the full content of every PowerShell script block before execution (even obfuscated), captured to the Windows PowerShell event log (Event ID 4104). Module Logging records every module, cmdlet, and function call. Enable via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Block Logging = Enabled. This is the single highest-value telemetry source for fileless PowerShell detection.
Subscribe to the .NET ETW provider for CLR activity
The Microsoft-Windows-DotNETRuntime ETW provider records JIT compilation events when .NET code is compiled in memory. Attackers using .NET-based payloads (Cobalt Strike's execute-assembly, Donut, in-memory C# tools) generate JIT events. EDRs that subscribe to this provider detect in-memory .NET execution without a file artifact. If building your own telemetry: use a kernel ETW consumer or xperf to capture this provider.
Collect WMI activity logs
WMI is a primary fileless execution vehicle (T1047). Enable WMI Activity Logging: Event ID 5857 (provider load), 5860 (temporary subscription creation), 5861 (permanent subscription creation). Permanent WMI subscriptions are a persistence mechanism that survives reboots: Event ID 5861 on a workstation should always alert. Collect: wevtutil sl Microsoft-Windows-WMI-Activity/Operational /e:true.
Forward AMSI telemetry to your SIEM
The Antimalware Scan Interface intercepts scripts and content before execution and passes them to registered security products. AMSI telemetry is available via ETW (Microsoft-Antimalware-Scan-Interface provider) and shows the content passed to AMSI, the calling process, and the scan result. Even bypassed AMSI calls leave ETW traces: the bypass technique itself (patching amsi.dll, hooking AmsiScanBuffer) generates anomalous events detectable via memory integrity checks or EDR hooks.
Process Injection and Hollowing Detection
Process injection places malicious code into the address space of a legitimate process. Process hollowing replaces the memory of a legitimate process with malicious code. Both techniques evade process-based filtering (allowing powershell.exe, svchost.exe, and other signed binaries) by running malicious code under a trusted process name.
Detect CreateRemoteThread injections via Sysmon Event ID 8
Sysmon Event ID 8 (CreateRemoteThread) logs when a process creates a thread in another process's address space: the primary mechanism for classic DLL injection and shellcode injection. Alert when non-security-software processes generate Event ID 8 with a target process they would not normally inject into. The tuple (source process, target process, start address) is your detection signal.
Detect process hollowing via memory region characteristics
Process hollowing unmaps a legitimate process's executable memory and replaces it with malicious code, resulting in a memory region (MEM_COMMIT) with execute permissions (PAGE_EXECUTE_READ or PAGE_EXECUTE_READWRITE) that is not backed by a file on disk. EDRs detect this via pe-sieve or memory scanning. With Volatility: vol.py -f memory.dmp windows.malfind.Malfind flags memory regions with execute permissions and no mapped file: common false positive: JIT-compiled .NET and JavaScript.
Detect reflective DLL loading via import table anomalies
Reflective DLL loading maps a DLL into memory without using the Windows loader, so the loaded module does not appear in the Process Environment Block module list queried by tools like tasklist and Process Hacker. Detection: compare the PEB module list against memory-mapped execute regions using Volatility's windows.pslist + windows.dlllist. A PE header found in a committed execute memory region not in the PEB module list is a strong indicator of reflective loading.
Monitor for abnormal parent-child process relationships
Fileless attacks frequently spawn processes with unusual parent relationships: word.exe spawning powershell.exe (macro execution), mshta.exe spawning wscript.exe (HTA-based attack), explorer.exe spawning regsvr32.exe (LOLBin abuse). Sysmon Event ID 1 (ProcessCreate) with ParentProcessGuid provides the process lineage. Alert on: Office processes spawning scripting engines, LOLBins as parents of unexpected children, wscript/cscript spawning from non-standard paths.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Memory Forensics with Volatility
Volatility is the standard open-source memory forensics framework. Use it to analyze memory captures from suspected infected systems: either live memory dumps (via ProcDump, WinPmem, or EDR memory capture) or VM snapshots. When a Malfind hit produces an extracted PE or shellcode, static reverse engineering with Ghidra is the next step for understanding what the payload actually does.
Run Malfind to identify injected and hollowed code
python3 vol.py -f memory.dmp windows.malfind.Malfind outputs memory regions with suspicious characteristics: execute permissions, not backed by a mapped file, containing PE headers. This catches both process injection (foreign DLL in a process) and hollowing (replacement PE in a system process). Filter known false positives: .NET JIT-compiled regions, JavaScript JIT, and some anti-cheat software generates similar patterns.
Use Pstree and Cmdline to audit process lineage and arguments
python3 vol.py -f memory.dmp windows.pstree.PsTree shows the full process hierarchy. python3 vol.py -f memory.dmp windows.cmdline.CmdLine shows the full command line for every process including encoded PowerShell commands. Compare the encoded command (-EncodedCommand base64string) with a base64 decoder to see the actual executed content: this is often more revealing than the script block logs if logging was disabled.
Analyze network connections alongside process memory
python3 vol.py -f memory.dmp windows.netstat.NetStat shows active and recently closed network connections with the process responsible. Cross-reference network connections with Malfind output: a svchost.exe with an unexpected network connection to an external IP AND a Malfind hit in its memory space is a high-confidence indicator of active C2 via process injection.
Sigma Detection Rules for Fileless Techniques
Sigma rules provide a platform-neutral detection signature format. These cover the most common fileless attack indicators in Windows event logs.
Detect PowerShell encoded command execution
title: PowerShell Encoded Command Execution logsource: {product: windows, service: powershell} detection: {keywords: ['-EncodedCommand', '-enc ', '-ec ', 'FromBase64String']} condition: keywords falsepositive: Some software deployment tools This catches the base64 encoding pattern used to obfuscate PowerShell payloads. Tune for known-good deployment tools in your environment.
Detect WMI process creation (T1047)
title: WMI Process Execution logsource: {product: windows, service: sysmon, definition: EventID 1} detection: {selection: {ParentImage|contains: 'WmiPrvSE.exe'}} condition: selection falsepositive: Legitimate SCCM, monitoring agents WmiPrvSE.exe spawning processes is WMI-based execution: alert on children that are scripting engines, shells, or LOLBins.
Detect suspicious LSASS memory access (credential dumping prerequisite)
title: LSASS Memory Access via OpenProcess logsource: {product: windows, service: sysmon, definition: EventID 10} detection: {selection: {TargetImage|endswith: 'lsass.exe', GrantedAccess|contains: ['0x1010', '0x1410', '0x147a', '0x1F3FFF']}} condition: selection falsepositive: Legitimate AV and EDR products These access masks are associated with Mimikatz, ProcDump targeting LSASS, and other credential dumping tools.
The bottom line
Fileless malware detection requires telemetry from the OS itself, not from files on disk. Enable PowerShell Script Block Logging and Sysmon with a maintained configuration before anything else -- these two controls provide the majority of the detection signal for LotL attacks and are available at no additional cost on any Windows environment. Supplement with ETW-based EDR for in-memory .NET execution detection and a scheduled Volatility analysis workflow for incident response. Behavioral detection rules, not signatures, are the only durable control against living-off-the-land attacks.
Frequently asked questions
Can traditional AV detect fileless malware?
Traditional signature-based AV is largely ineffective against fileless malware because there is no file to scan. Modern endpoint security platforms (EDR) have partial coverage through AMSI integration (scanning script content before execution), behavioral detection (process lineage anomalies, command-line patterns), and ETW-based in-memory scanning. Even EDR coverage is incomplete: sophisticated actors actively probe for and bypass AMSI and ETW hooks. The most reliable detection layer for fileless attacks is a combination of PowerShell Script Block Logging (enabled via GPO), Sysmon with a comprehensive configuration, and SIEM detection rules on process creation and network events.
What is the difference between process injection and process hollowing?
Process injection adds malicious code to an already-running legitimate process's address space: the original process continues running normally alongside the injected code. Classic injection creates a new thread in the target process via CreateRemoteThread. Process hollowing creates a new instance of a legitimate process in a suspended state, unmaps its original executable code, maps malicious code into the same address space, then resumes execution: the process name and path appear legitimate (svchost.exe, lsass.exe) but are executing entirely attacker-controlled code. Hollowing is more evasive because the process's apparent image path matches a legitimate system binary.
What Sysmon configuration is best for detecting fileless malware?
Use the SwiftOnSecurity Sysmon configuration (github.com/SwiftOnSecurity/sysmon-config) as a baseline: it is extensively maintained and widely tested. Key events for fileless detection: Event ID 1 (ProcessCreate with CommandLine), Event ID 7 (ImageLoad with Signed/Signature fields), Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess targeting lsass.exe), Event ID 12-14 (Registry operations for persistence), Event ID 15 (FileCreateStreamHash for MOTW bypass). The biggest gap in standard Sysmon configurations is ETW telemetry for .NET execution: that requires an EDR or a custom ETW consumer.
How do I take a memory dump from a live Windows system for analysis?
Three options: (1) WinPmem (open-source): winpmem_mini_x64_rc2.exe -o memory.raw: captures full physical memory; (2) ProcDump (Microsoft Sysinternals): procdump -ma [PID] dump.dmp for a specific suspicious process; (3) EDR memory capture: most enterprise EDR platforms support live memory acquisition through their management console without deploying a tool. For analysis, transfer the dump to an isolated analysis VM and run Volatility 3 (python3 vol.py -f memory.raw -h to see available plugins). Never analyze a dump on the same system that generated it.
What are the most common LOLBins used in fileless attacks?
The most frequently abused: mshta.exe (executes HTA files including from URLs), regsvr32.exe (executes COM-scriptlet payloads via scrobj.dll), wscript.exe and cscript.exe (Windows Script Host executes JScript and VBScript), certutil.exe (downloads files and decodes base64), bitsadmin.exe (downloads and executes files via BITS transfers), rundll32.exe (executes DLL exports or JavaScript in mshtml context), and powershell.exe with -EncodedCommand, -ExecutionPolicy Bypass. Detection: alert on these binaries executing with unusual parent processes, unusual command-line arguments, or making network connections to external IPs.
How do threat actors bypass AMSI?
Common AMSI bypass techniques: (1) Memory patching: write a return 0 (AMSI_RESULT_CLEAN) patch to AmsiScanBuffer in amsi.dll within the current process; (2) Reflection: use .NET reflection to set the amsiInitFailed field in the AmsiUtils class to true, disabling AMSI for the PowerShell session; (3) COM hijacking of the AMSI provider registration; (4) ETW patching: patch EtwEventWrite to disable ETW logging in the current process. Detection: monitor for memory writes to amsi.dll (EDR hook or Sysmon Event ID 12), PowerShell Engine Lifecycle Event ID 400/403, and ETW gaps in PowerShell logging (missing session events).
What is the forensic value of memory captures vs. disk artifacts for fileless attacks?
For fileless attacks, memory captures are primary evidence and disk artifacts are secondary. A memory capture from the time of attack (or immediately after detection) contains: the decrypted malware payload executing in memory, C2 connections and decrypted C2 traffic, credentials that have been dumped but not yet exfiltrated, injected code in legitimate processes, and the full process tree showing attack progression. Disk artifacts (prefetch, shimcache, registry, event logs) provide corroborating timeline evidence and persistence mechanism documentation. In an incident involving a fileless attack, acquiring memory before rebooting or killing the malicious process is the highest-priority forensic action.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
