Detects abuse of fileless storage mechanisms such as Registry keys, WMI classes, and Event Logs used to stage payloads, scripts, or encoded content outside traditional files.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| WMI Creation (DC0008) | WinEventLog:Application | WMI Object Creation Events |
| Field | Description |
|---|---|
| RegistryPathFilter | Scoped to suspicious or abused paths like HKCU\Software\Classes\ or HKLM\SYSTEM\CurrentControlSet\Services\ |
| PayloadEntropyThreshold | Minimum entropy level to flag suspicious registry or WMI content as encoded payloads |
| TimeWindow | Temporal window for correlating WMI/registry modifications with process creation or network usage |
Detects usage of shared memory directories (/dev/shm, /run/shm) for temporary storage of obfuscated, encoded, or executable data without persistence to disk.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | open, write, unlink |
| File Metadata (DC0059) | linux:osquery | file_events.path |
| Field | Description |
|---|---|
| PathPrefix | Shared memory mount path used (e.g., /dev/shm/ or /run/shm/) |
| FilenameRegex | Regex to match non-standard, suspicious, or encoded filenames |
| ExecCorrelationWindow | Time window to correlate process execution from shared memory directories |