As perimeter defenses become increasingly robust, adversaries have pivoted toward “living-off-the-land” (LotL) techniques to evade detection. Fileless lateral movement–leveraging legitimate system tools such as PowerShell, Windows Management Instrumentation (WMI), and Remote Management (WinRM)–presents a significant challenge for traditional Endpoint Detection and Response (EDR) systems because it operates entirely within volatile memory, leaving no static footprint on the physical disk. This paper provides a rigorous taxonomy of fileless attack vectors and proposes a novel detection algorithm based on Probabilistic Graphical Models (PGMs) to identify anomalous behavioral patterns in administrative protocols. We conduct a comprehensive ablation study to determine the relative weight of volatile memory artifacts versus Remote Procedure Call (RPC) traffic patterns, identifying a crucial visibility gap in existing EDR telemetry. Our findings demonstrate that integrating memory entropy analysis with network flow monitoring increases detection rates by 23% over standard behavioral heuristics EDR. The paper culminates in a defense-in-depth mitigation framework that reduces the attack surface by enforcing strict session control over administrative trust relationships.
Dora et al. (Thu,) studied this question.