惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Cloudbric
Cloudbric
I
InfoQ
V
V2EX
博客园_首页
The Register - Security
The Register - Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
S
Secure Thoughts
Vercel News
Vercel News
Forbes - Security
Forbes - Security
云风的 BLOG
云风的 BLOG
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
D
DataBreaches.Net
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
B
Blog RSS Feed
A
About on SuperTechFans
N
News and Events Feed by Topic
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
Attack and Defense Labs
Attack and Defense Labs
N
Netflix TechBlog - Medium
Spread Privacy
Spread Privacy
F
Full Disclosure
Recorded Future
Recorded Future
AWS News Blog
AWS News Blog
博客园 - 【当耐特】
The Cloudflare Blog
T
Threatpost
T
Tor Project blog
Google DeepMind News
Google DeepMind News
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
A
Arctic Wolf
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
小众软件
小众软件
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Proofpoint News Feed
Security Latest
Security Latest
The Last Watchdog
The Last Watchdog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Fileless Malware Explained: What It Is, How It Works, and What It Abuses (Attack Chain + Windows Components)
Boris Gigovic · 2026-06-01 · via DEV Community

Fileless malware isn’t “magic malware that leaves no trace.” It’s a strategy: attackers execute and persist using legitimate tools and in-memory techniques so they can avoid traditional “drop-a-file, scan-a-file” detection.

If you’re defending Windows environments (or building detections in a SOC), understanding fileless malware means understanding two things at the same time:

  • The attack chain (how the intrusion progresses end-to-end)
  • The components it abuses (PowerShell, WMI, scheduled tasks, registry, LOLBins, memory injection, cloud identity, etc.)

This guide gives you both: a clean mental model, the essential building blocks, and a practical checklist for detection and hardening.

What you’ll learn

  • A clear definition of fileless malware (and what it is not)
  • The typical fileless attack chain from initial access to impact
  • The Windows and Microsoft ecosystem components fileless attacks commonly abuse

  • Practical detection ideas and hardening steps you can apply immediately

What is fileless malware (really)?

Fileless malware is a technique where malicious activity is executed primarily through:

  • Memory-resident payloads (code runs in RAM)
  • Legitimate system tools (PowerShell, WMI, rundll32, mshta, regsvr32, etc.)
  • Script-based execution (PowerShell, JavaScript, VBScript)
  • Non-traditional persistence (registry, WMI event subscriptions, scheduled tasks)

The goal is to reduce or eliminate a traditional malicious executable on disk.

What fileless malware is not

  • It’s not “no artifacts.” There are almost always artifacts in logs, memory, registry, event traces, network telemetry, and identity trails.
  • It’s not always “no files ever.” Many real-world intrusions are hybrid: initial access may drop something small, then later stages go fileless.

Why fileless techniques work so well

Fileless tradecraft is effective because it:

  • Blends in with admin behavior (PowerShell and WMI are normal in enterprise)
  • Moves faster (no need to compile/deploy a full binary)
  • Avoids classic AV patterns (less reliance on known hashes)
  • Reduces forensic clarity (payloads live in memory and can disappear after reboot)

That’s why defenders need to think in terms of behavior + telemetry, not just “malicious file found.”

The fileless attack chain (end-to-end)

Below is a practical chain you’ll see repeatedly. Not every incident includes every step, but most fileless intrusions follow this shape.

1) Initial access (how it starts)

Common entry points:

  • Phishing leading to credential theft or malicious script execution
  • Exploited public-facing app (web server / VPN / appliance)
  • Malicious Office document or HTML attachment (often used as a launcher)
  • Stolen credentials + MFA fatigue / token theft

Defender mindset: initial access is often “boring.” The fileless part becomes obvious in step 2–4.

2) Execution (how code runs without a classic EXE)

Execution is where fileless techniques shine:

  • PowerShell download cradle (fetch + execute in memory)
  • mshta / rundll32 / regsvr32 abuse to run script or DLL entry points
  • WMI process creation
  • Script engines (wscript/cscript)

Key idea: attackers try to execute through trusted binaries.

3) Discovery (learning the environment)

Once running, attackers quickly enumerate:

  • Who am I? Am I admin?
  • Domain membership, users, groups
  • Security tooling present
  • Network shares and high-value hosts

Discovery is often done via:

  • PowerShell cmdlets
  • WMI queries
  • Native Windows commands (whoami, nltest, net, ipconfig)

4) Credential access (getting reusable access)

Fileless intrusions frequently aim for:

  • LSASS credential dumping (often via memory techniques)
  • Token theft / session hijacking
  • Browser credential extraction
  • Kerberos abuse (Pass-the-Ticket / Golden Ticket scenarios in advanced cases)

Defender mindset: credential access is where “one compromised endpoint” becomes “domain-wide incident.”

5) Persistence (staying after reboot)

Fileless persistence often avoids dropping a new service binary and instead uses:

  • Registry Run keys
  • Scheduled tasks
  • WMI event subscriptions
  • Startup folder scripts
  • Office template/macros in some environments

6) Defense evasion (staying invisible)

Common patterns:

  • Disabling logging or reducing visibility (where possible)
  • Living off the land to avoid suspicious binaries
  • Obfuscation of PowerShell and scripts
  • Using legitimate remote management tools

7) Command and control (C2)

Even fileless malware needs to communicate. Typical C2 traits:

  • HTTPS to cloud-like endpoints
  • Domain fronting / CDN-like infrastructure
  • Beaconing patterns (regular intervals)
  • Use of legitimate services for staging (in some cases)

8) Lateral movement (spreading)

Often done with:

  • Remote PowerShell
  • WMI remote execution
  • SMB + admin shares
  • RDP (especially with stolen creds)

9) Actions on objectives (impact)

Depending on the actor:

  • Data theft
  • Ransomware deployment (often not fileless at the final step)
  • Business email compromise
  • Persistence for long-term espionage

The essential components fileless malware abuses (Windows + Microsoft ecosystem)

Now let’s map the “building blocks.” These are the components defenders should understand because they’re the most commonly abused.

A) PowerShell (the #1 fileless workhorse)

Why it’s abused:

  • Powerful automation language
  • Easy to download, decode, and execute payloads
  • Common in enterprise administration

What to watch:

  • EncodedCommand usage
  • Suspicious parent processes (Office apps launching PowerShell)
  • Unusual PowerShell network connections
  • Obfuscation patterns

B) WMI (Windows Management Instrumentation)

Why it’s abused:

  • Remote execution and system interrogation
  • Can be used for stealthy persistence (WMI event subscriptions)

What to watch:

  • Unusual WMI consumers/filters
  • WMI spawning processes unexpectedly

C) LOLBins (Living-Off-The-Land Binaries)

These are legitimate Windows binaries attackers use as launchers.

Common examples:

  • rundll32
  • regsvr32
  • mshta
  • certutil
  • bitsadmin (legacy but still seen)

What to watch:

  • LOLBins making outbound connections
  • LOLBins executing script content or pulling remote payloads

D) Script engines (wscript/cscript) and HTA

Why it’s abused:

  • Executes scripts without compiling binaries
  • Often used as a lightweight launcher

What to watch:

  • Script execution from user-writable paths
  • Office/email client spawning script engines

E) Memory injection and process hollowing

This is where “fileless” becomes truly in-memory:

  • Injecting code into legitimate processes
  • Hollowing out a process and replacing memory contents

What to watch:

  • Unusual process relationships
  • Suspicious access to other processes’ memory
  • Security telemetry indicating injection techniques

F) Registry (persistence + configuration storage)

Attackers use the registry for:

  • Run keys for persistence
  • Storing encoded payloads or configuration

What to watch:

  • New/modified Run keys
  • Unusual registry writes by script engines or Office apps

G) Scheduled Tasks (simple, reliable persistence)

Why it’s abused:

  • Built-in, flexible, and often overlooked

What to watch:

  • New tasks created by non-admin contexts
  • Tasks executing PowerShell or LOLBins

H) Office and browser components (launch + credential theft)

Office and browsers are common:

  • Office apps as initial launchers
  • Browser sessions/tokens as credential targets

What to watch:

  • Office spawning PowerShell, cmd, wscript
  • Unusual browser data access patterns

I) Identity and cloud tokens (modern “fileless” expansion)

Some intrusions are “fileless” in the sense that the attacker doesn’t need malware at all, they use:

  • Stolen session tokens
  • OAuth app abuse
  • MFA fatigue

What to watch:

  • Impossible travel
  • Unusual OAuth consent grants
  • High-risk sign-ins

Detection and prevention checklist (practical)

Here’s a pragmatic checklist you can use whether you’re an analyst, an engineer, or a security lead.

Visibility (you can’t detect what you can’t see)

  • Ensure PowerShell logging is enabled where appropriate (script block logging, module logging)
  • Collect process creation events and command-line telemetry
  • Centralize Windows event logs into your SIEM
  • Monitor identity events (sign-ins, conditional access, risky users)

Detection ideas (behavior-based)

  • Office app PowerShell chain
  • Encoded PowerShell commands
  • LOLBins making outbound network connections
  • New scheduled tasks executing scripts
  • WMI persistence artifacts
  • Suspicious parent/child process trees

Hardening (reduce attack surface)

  • Constrain PowerShell where possible (least privilege, restrict legacy versions)
  • Restrict script execution policies in high-risk contexts
  • Reduce local admin usage
  • Apply application control where feasible n- Patch aggressively (initial access often comes from known vulnerabilities)

Common mistakes when explaining or defending against fileless malware

  • Over-focusing on “no files.” The better lens is “abuse of trusted tools + in-memory execution.”
  • Assuming it’s undetectable. It’s detectablebut you need the right telemetry.
  • Treating every PowerShell use as malicious. You need baselines and context.
  • Skipping identity. Modern attacks can be “fileless” via tokens and OAuth.

Actionable next steps

  1. Pick your top 5 suspicious process chains to monitor (Office PowerShell is usually #1).
  2. Validate you’re collecting command-line telemetry and PowerShell logs.
  3. Create a small set of SOC detections for LOLBins + outbound connections.
  4. Review persistence mechanisms: scheduled tasks, registry run keys, WMI subscriptions.
  5. Run a tabletop exercise: “What would we do if we saw fileless behavior on a domain-joined endpoint?”

Recommended training (ethical hacking + real-world detection mindset)

If you want a structured, hands-on way to understand attacker techniques (including living-off-the-land behavior and post-exploitation tradecraft), the Certified Ethical Hacker (CEH v13) course is a strong fit.

FAQ

Is fileless malware only a Windows problem?

No, but Windows environments are common targets because of the rich ecosystem of built-in administration tools and scripting.

Does fileless malware always use PowerShell?

Not always, but PowerShell is one of the most common execution and discovery tools in fileless tradecraft.

Can EDR detect fileless malware?

Yes, especially when it captures process trees, command lines, memory behaviors, and suspicious parent/child relationships.

What’s the fastest way to reduce risk?

Improve visibility (logs + telemetry), reduce local admin, harden scripting, and monitor the most common suspicious execution chains.