Keypoints
- Fileless storage uses non-file locations to hold payloads or data, making disk-only scanners ineffective.
- Windows targets include the Registry, WMI repository, and event logs as covert storage locations.
- Linux targets include shared memory directories like /dev/shm, /run/shm, /var/run, and /var/lock.
- Adversaries often encode, encrypt, or splice stored data to further obfuscate contents and delay detection.
- Monitoring process creation, WMI changes, and registry modifications helps identify suspicious fileless activity.
Description:
- Like hiding a message in the seams of a quilt, fileless storage tucks malicious code or stolen data into OS structures and memory so it blends with normal system fabric and avoids obvious detection.
- Adversaries write payloads, shellcode, or staged data to non-file formats (Registry, WMI, event logs, shared memory) and often obfuscate it; this enables stealthy persistence, staging for exfiltration, and bypasses disk-based protections, making detection and forensic collection harder.
Detection:
- Monitor process creation for commands that interact with Registry, WMI, or shared memory (look for rundll32, reg.exe, powershell creating binary blobs); use ETW/Windows Sysmon and Linux auditd to capture invocation details.
- Log and baseline Registry key creation and unusual value blobs in central hives; alert on large binary blobs or encoded strings in rarely-used keys using Sysmon registry events and Windows Event Forwarding.
- Track WMI repository changes and new WMI classes or consumers; use WMI event subscription audits and compare against known-good catalogs to detect injected or malicious entries.
- Alert on file creation in shared memory paths (/dev/shm, /run/shm, /var/run, /var/lock) and on execution from those paths; use auditd, inotify or EDR file monitors to capture writes and executions in these directories.
- Collect and inspect memory-backed artifacts and event log entries for base64, hex blobs, or compressed/encrypted payload patterns; use yara/rules and strings analysis on extracted blobs to identify obfuscation.
- Correlate abnormal access patterns: processes reading/writing central OS repositories or event logs at odd times, child-parent mismatches, or legitimate binaries performing unusual registry/WMI writes; tune alerts to reduce false positives by whitelisting known admin tools.
- Hunt using telemetry: search for encoded/large registry values, WMI consumer creation, processes with no disk-backed executable, and transient files in shared memory; apply threat intelligence (TTPs, IOCs) and behavioral baselines for prioritized investigation.
Tactics:
Defense Evasion
Platforms:
Linux, Windows
Data Sources:
Process: Process Creation, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Relationship Citations:
(Citation: SentinelOne Valak June 2020),(Citation: Cylance Sodinokibi July 2019),(Citation: Prevailion DarkWatchman 2021),(Citation: Elastic Pikabot 2024),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: ESET TeleBots Oct 2018),(Citation: ESET OceanLotus Mar 2019),(Citation: Secureworks REvil September 2019),(Citation: CISA ComRAT Oct 2020),(Citation: Symantec Waterbug Jun 2019),(Citation: Secureworks GandCrab and REvil September 2019),(Citation: Red Canary Qbot),(Citation: ESET Turla PowerShell May 2019),(Citation: Group IB Ransomware September 2020),(Citation: Trustwave Pillowmint June 2020),(Citation: US-CERT Volgmer Nov 2017),(Citation: ESET Turla Mosquito Jan 2018),(Citation: Profero APT27 December 2020),(Citation: Unit 42 Valak July 2020),(Citation: US-CERT TYPEFRAME June 2018),(Citation: Cybereason Chaes Nov 2020),(Citation: ESET Grandoreiro April 2020),(Citation: TrendMicro EarthLusca 2022),(Citation: Trend Micro Iron Tiger April 2021),(Citation: Trend Micro DRBControl February 2020),(Citation: Intel 471 REvil March 2020),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: Red Canary NETWIRE January 2020),(Citation: Symantec Volgmer Aug 2014),(Citation: ESET Dukes October 2019),(Citation: MSTIC NOBELIUM Mar 2021),(Citation: ESET Gelsemium June 2021),(Citation: ESET ComRAT May 2020),(Citation: ESET PipeMon May 2020),(Citation: Unit 42 QUADAGENT July 2018),(Citation: Talos TinyTurla September 2021),(Citation: Kaspersky ShadowPad Aug 2017),(Citation: Cybereason Valak May 2020),(Citation: FireEye APT28),(Citation: Kaspersky ThreatNeedle Feb 2021),(Citation: McAfee Sodinokibi October 2019),