Hunting Fileless Malware in the Windows Registry

This report documents fileless malware techniques that leverage the Windows Registry for payload staging and persistence and provides practical Microsoft Defender for Endpoint hunting analytics. It explains how common LOLBins (e.g., powershell.exe, reg.exe, wscript.exe, mshta.exe, rundll32.exe) can write encoded payloads into HKCU, illustrates attack scenarios and artifacts, and presents a set of KQL queries to detect suspicious registry activity including length-based outliers, hex/blob pattern detection, registry write bursts, indirect execution chains, and writes to uncommon HKCU keys.