1. Dynamic analysis: In dynamic analysis, the malware is executed in a controlled environment, and its behavior is monitored in real-time. This can help to identify the malicious activities performed by the malware, such as the creation of new processes, modifications to the registry, and network connections.
2. Memory analysis: Fileless malware typically resides in memory and does not create any files on the file system. Memory analysis can be used to analyze the memory of a compromised system to identify any malicious processes or code that may be hidden in memory.
3. Network traffic analysis: Fileless malware often communicates with remote servers or command and control (C2) infrastructure over the network. By analyzing the network traffic generated by the malware, analysts can identify the IP addresses and domains associated with the C2 infrastructure, as well as any data exfiltration that may be taking place.
4. Behavioral analysis: Behavioral analysis involves examining the behavior of a system to identify suspicious or anomalous activity. Fileless malware often exhibits unusual behavior, such as creating new processes, modifying registry keys, or injecting code into other processes. By examining these behaviors, analysts can identify potential malware infections.
5. Endpoint telemetry: Endpoint telemetry involves collecting data from endpoint security solutions such as antivirus, endpoint detection and response (EDR), and other security software. This data can be used to identify any suspicious behavior or activity that may be associated with fileless malware infections.

Overall, performing fileless malware analysis requires a combination of techniques and tools that can help analysts to identify the presence of fileless malware, determine its behavior, and develop effective mitigation strategies.

1. Memory dump file: A memory dump file contains the contents of the computer’s RAM at a particular point in time. Memory analysis is an important aspect of fileless malware analysis, and memory dump files are typically collected using tools like Windows Task Manager, Process Explorer, or other memory analysis tools. The location of the memory dump file will depend on the tool being used to collect it.
2. Network traffic capture file: Network traffic analysis is another key aspect of fileless malware analysis. Tools like Wireshark, Microsoft Message Analyzer, or NetMon can be used to capture network traffic. The capture file is usually saved in PCAP format and can be stored in any location on the host.
3. Endpoint telemetry data: Endpoint telemetry data is collected from endpoint security solutions and can provide valuable information about the behavior of fileless malware. The location of the endpoint telemetry data will depend on the specific security solution being used and its configuration.
4. Configuration and log files: Some fileless malware analysis tools may require configuration files or log files to be stored on the host. These files may contain settings or parameters that affect how the analysis tool operates, or they may contain log data that is generated during the analysis process. The location of these files will depend on the specific analysis tool being used.

Overall, the location of the files needed for fileless malware analysis will depend on the specific tools and techniques being used. Analysts may need to search the host system to locate the necessary files or consult the documentation for the tools they are using to determine where the files should be stored.

1. Network traffic capture: Examine the network traffic capture file for any connections to known malicious IP addresses or domains. Malware often communicates with C2 (command and control) infrastructure, and these connections can be used to identify IOCs. Look for suspicious traffic patterns, such as large amounts of data being sent to an external IP address or unexpected communication with an external IP address.
2. Memory dump file: Analyze the memory dump file to identify any suspicious processes or modules loaded in memory. Fileless malware often injects malicious code into legitimate processes, so look for any unexpected processes running on the host or any processes with suspicious memory regions. Use a memory analysis tool like Volatility or Rekall to assist with this analysis.
3. Endpoint telemetry data: Look for any alerts or events generated by endpoint security solutions that indicate a fileless malware infection. Common indicators include alerts for suspicious process creation, registry modifications, or network connections. Review the details of the alerts to identify the specific process or activity that triggered the alert.
4. Behavioral analysis: Examine the behavior of the host to identify any anomalous activity. Fileless malware often exhibits unusual behavior, such as creating new processes or modifying registry keys. Use a behavioral analysis tool like Sysmon or Windows Event Log to capture this activity and review the output for any suspicious behavior.
5. Configuration and log files: Some fileless malware analysis tools may generate log files that contain information about the analysis process. Review these log files for any suspicious activity or processes identified during the analysis.

Overall, identifying IOCs on a host requires a thorough analysis of multiple sources of output. By examining network traffic, memory dump files, endpoint telemetry data, behavioral analysis, and log files, analysts can identify the presence of fileless malware and take appropriate steps to mitigate the threat.

Process analysis involves examining the processes running on a host to identify any suspicious activity that may be associated with fileless malware. Here are some steps that can be taken during process analysis:

1. Identify the processes running on the host: Use a tool like Task Manager, Process Explorer, or PowerShell to identify the processes running on the host. Look for any processes that are running with unusual names, locations, or command-line parameters.
2. Examine the parent-child process relationships: Malware often injects malicious code into legitimate processes or creates new processes to carry out its activities. Look for any suspicious parent-child process relationships that may indicate the presence of fileless malware.
3. Analyze the process memory: Use a memory analysis tool like Volatility or Rekall to analyze the memory of suspicious processes. Look for any suspicious memory regions or DLLs that may indicate the presence of fileless malware.
4. Review the process command-line parameters: Some fileless malware may execute with command-line parameters that are designed to hide its activity. Review the command-line parameters of suspicious processes to identify any potential fileless malware infections.
5. Analyze the process network connections: Use a tool like TCPView or Process Hacker to analyze the network connections of suspicious processes. Look for any connections to known malicious IP addresses or domains.

2.3.b Log Analysis:

Log analysis involves examining system logs to identify any suspicious activity that may be associated with fileless malware. Here are some steps that can be taken during log analysis:

1. Identify the relevant logs: Look for logs that are relevant to fileless malware analysis, such as the Windows Event Log or Sysmon logs.
2. Review the logs for suspicious activity: Look for any logs that indicate the creation of new processes, modifications to the registry, or network connections. Use a tool like LogParser or ELK stack to assist with this analysis.
3. Analyze the logs for anomalies: Some fileless malware may attempt to hide its activity by modifying or deleting system logs. Analyze the logs for any anomalies or gaps in the data that may indicate fileless malware activity.
4. Cross-reference logs with other sources of output: Use the output from other analysis methods, such as process analysis or network traffic analysis, to cross-reference the logs and identify any potential IOCs.

By conducting thorough process analysis and log analysis, analysts can identify the presence of fileless malware and take appropriate steps to mitigate the threat.

1. Scripting languages: Scripting languages like Python, JavaScript, and PowerShell are typically used to automate tasks or manipulate data. They are often executed in an interpreted environment, meaning that the code is executed line-by-line without being compiled into an executable file. Scripting languages are often used to create fileless malware because they can execute in memory without leaving a file on disk.
2. Compiled languages: Compiled languages like C, C++, and Java are typically used to create standalone applications or libraries. The code is compiled into an executable file, which is then executed on the host system. Compiled languages are less commonly used to create fileless malware, but they may still be used to create executable code that is injected into memory.
3. Machine code: Machine code is the low-level code that is executed by the CPU. Machine code is typically not written by hand, but is instead generated by a compiler or assembler. Machine code can be used to create fileless malware that is executed directly in memory without leaving a file on disk.

In order to determine the type of code based on a provided snippet, it is necessary to examine the syntax and structure of the code, as well as any accompanying documentation or comments. The specific language or platform being used can also provide clues about the type of code. If the code is compiled, it may be necessary to decompile it in order to examine the underlying machine code. Overall, determining the type of code requires a thorough analysis of the code and its environment.

Python Script:

PowerShell Script:

Bash Script:

These scripts can be modified to parse and search logs from other data sources, such as Cisco Umbrella, Sourcefire IPS, AMP for Endpoints, AMP for Network, and PX Grid, by using the appropriate log file format and search criteria. For example, Cisco Umbrella logs can be parsed using the Cisco Umbrella Reporting API, and Sourcefire IPS logs can be parsed using the Snort log parser. Overall, parsing and searching logs from multiple data sources requires a thorough understanding of the log file format and search criteria, as well as the tools and APIs available for each data source.

1. Volatility: Volatility is a memory analysis tool that can be used to analyze the memory of a compromised system to identify the presence of fileless malware. It provides a wide range of plugins that can be used to extract information from memory, such as running processes, network connections, and registry keys. Volatility can also be used to detect and analyze rootkits, kernel-level malware, and other advanced threats.
2. Sysinternals: Sysinternals is a suite of tools developed by Microsoft that can be used to analyze and diagnose system issues. Some of the tools in the suite, such as Process Explorer and Autoruns, can be used to identify and analyze running processes on a system, including those associated with fileless malware infections. Sysinternals can also be used to analyze registry keys, network connections, and other system components.
3. SIFT tools: SIFT (SANS Investigative Forensic Toolkit) is a collection of open source tools that can be used for digital forensic analysis. The SIFT tools include a range of utilities and scripts for analyzing disk images, memory dumps, and network traffic. SIFT can be used to identify and analyze fileless malware infections, as well as other types of threats.
4. TCPdump: TCPdump is a command-line tool that can be used to capture and analyze network traffic. It can be used to identify network connections associated with fileless malware infections, as well as analyze the content of network traffic for signs of malicious activity. TCPdump can also be used to analyze the behavior of network protocols and identify anomalies or suspicious activity.

Overall, these libraries and tools are essential for fileless malware analysis, providing a range of capabilities for identifying, analyzing, and mitigating fileless malware infections. They can be used in combination with other analysis techniques to provide a comprehensive understanding of the threat and help develop effective mitigation strategies.