What is Fileless Malware?

Fileless Malware Techniques

Living Off the Land

Living-off-the-land attacks use legitimate system tools and binaries — PowerShell, Windows Management Instrumentation (WMI), certutil, mshta, regsvr32, rundll32 — to execute malicious actions without deploying custom malware files. These tools are present on every Windows system, their use is expected in enterprise environments, and security products must carefully balance flagging legitimate administrative use against detecting malicious abuse. The attacker's payload is a series of legitimate tool invocations chained to achieve malicious objectives, with no unique malware binary to detect.

Memory-Only Execution

Process injection attacks inject malicious code into the memory space of legitimate running processes. Rather than executing from a file, the malicious code runs within a trusted process — lsass.exe, svchost.exe, explorer.exe — inheriting that process's trust level and access permissions. From a file system perspective, no malicious file exists. From a network perspective, communications appear to originate from the legitimate process. Detection requires memory analysis or behavioral monitoring of process activities rather than file scanning.

Registry and WMI Persistence

Fileless malware achieves persistence through Windows Registry keys, WMI subscriptions, and scheduled tasks rather than executable files on disk. A malicious WMI event subscription that executes a PowerShell command from the registry when a specific system event occurs leaves no executable file on disk but survives reboots and credential rotations. Registry-based persistence stores encoded payloads in registry keys that are executed by legitimate system processes through script interpreters.

Why Fileless Attacks Evade Traditional Defenses

Traditional antivirus and endpoint protection products detect malware primarily through file scanning — comparing files on disk against databases of known malicious signatures. Fileless malware, by definition, does not reside in files that security products scan. The malicious code executes from memory, legitimate tools, or system facilities that security products must treat as trusted to avoid overwhelming false positives.

Behavioral detection — identifying malicious activity patterns rather than malicious files — is the primary detection mechanism for fileless attacks. A PowerShell process that spawns a network connection to an external IP address, reads sensitive files, and encodes its output in base64 before transmitting it displays a behavioral pattern associated with malicious use regardless of which legitimate system binary executes it. EDR platforms with behavioral detection provide meaningfully better coverage against fileless attacks than traditional antivirus, but require tuning to maintain signal quality against legitimate PowerShell administrative activity.

Defending Against Fileless Malware

PowerShell execution policy enforcement limits what PowerShell scripts can run — requiring code signing for scripts, disabling PowerShell remoting where not required, and enabling PowerShell ScriptBlock Logging to record all PowerShell activity for forensic analysis and detection. Application allowlisting — enforcing that only approved applications can execute — prevents the execution of unauthorized tools even when delivered without files, because even fileless attacks typically require executing some initial access payload.

Memory scanning and process injection detection in EDR platforms specifically addresses in-memory execution. Behavioral rules that flag processes exhibiting suspicious activity patterns — a legitimate system process spawning unexpected child processes, making unusual network connections, or accessing sensitive memory regions — provide detection coverage that file-based scanning cannot.

Real-World Example: Cobalt Strike — The Fileless Attack Standard

Cobalt Strike, a commercial penetration testing platform, has become the most widely used attack tool by ransomware operators and nation-state groups for post-exploitation operations. Cobalt Strike's Beacon payload is delivered through various initial access mechanisms and then operates entirely in memory, implementing virtually all major fileless attack techniques: process injection, reflective DLL loading, LOTL technique abuse, and encrypted C2 communications over legitimate protocols. Its prevalence across both criminal and nation-state operations makes behavioral detection for Cobalt Strike Beacon one of the most important capabilities for enterprise endpoint security products — and one that requires active behavioral rule development, not just signature updates.