OPERATOR PLAYBOOK
Ghost in the Shell: Fileless Execution
Executing malicious code using legitimate Microsoft signed binaries to remain invisible to disk scanners.
Mission Objective
Bypass traditional "New File" alerts by utilizing MSBuild.exe and PowerShell Reflection to run code directly in memory.
Step 1: The XML Wrapper
Modern EDRs scan .exe files. We will wrap our C# shellcode inside an XML file. When processed by MSBuild, the code compiles and executes in RAM without ever touching the disk.
C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
Step 2: Memory-Only Persistence
Learn how to use WMI (Windows Management Instrumentation) to schedule tasks. Since the "task" is stored in the WMI database, there is no suspicious file for a scanner to find.
Pro-Tip: Always check
Get-WinEvent logs. Even fileless attacks leave "Script Block Logging" artifacts that a smart SOC will hunt for.
Step 3: Execution
Establish a reverse shell by injecting your payload into a legitimate process like explorer.exe.