Description
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (/dev/shm, /run/shm, /var/run, and /var/lock) and volatile directories on Network Devices (/tmp and /volatile) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).
Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)
Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.
Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., %SystemRoot%\System32\Wbem\Repository) or Registry (e.g., %SystemRoot%\System32\Config) physical files.(Citation: Microsoft Fileless)
Platforms
Mitigations (1)
AuditM1047
Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has stored its configuration in a registry key.(Citation: ESET OceanLotus Mar 2019) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used the Registry to store encrypted and encoded payloads.(Citation: ESET Turla PowerShell May 2019... |
Associated Software (27)
| ID | Name | Type | Context |
|---|---|---|---|
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) can store configuration strings, keylogger, and output of components in the Registry.(Citation... |
| S0518 | PolyglotDuke | Malware | [PolyglotDuke](https://attack.mitre.org/software/S0518) can store encrypted JSON configuration files in the Registry.(Citation: ESET Dukes October 201... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can store its configuration information in a randomly named subkey under <code>HKCU\Software\Microso... |
| S0263 | TYPEFRAME | Malware | [TYPEFRAME](https://attack.mitre.org/software/S0263) can install and store encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHIN... |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) has stored encrypted orchestrator code and payloads in the Registry.(Citation: ESET ComRAT May 2020)... |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) maintains a configuration block and virtual file system in the Registry.(Citation: Kaspersky Shad... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can store its components in the Registry.(Citation: ESET Gelsemium June 2021) |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can store configuration information for the kernel driver and kernel driver loader components in a... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) can store its encoded configuration file within <code>Software\Classes\scConfig</code> in either ... |
| S0343 | Exaramel for Windows | Malware | [Exaramel for Windows](https://attack.mitre.org/software/S0343) stores the backdoor's configuration in the Registry in XML format.(Citation: ESET Tele... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can store its configuration in the Registry at `HKCU\Software\` under frequently changing names... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can store its configuration information in the Registry under `HKCU:\Software\Netwire`.(Citation: R... |
| S0517 | Pillowmint | Malware | [Pillowmint](https://attack.mitre.org/software/S0517) has stored a compressed payload in the Registry key <code>HKLM\SOFTWARE\Microsoft\DRM</code>.(Ci... |
| S0668 | TinyTurla | Malware | [TinyTurla](https://attack.mitre.org/software/S0668) can save its configuration parameters in the Registry.(Citation: Talos TinyTurla September 2021) |
| S0023 | CHOPSTICK | Malware | [CHOPSTICK](https://attack.mitre.org/software/S0023) may store RC4 encrypted configuration information in the Windows Registry.(Citation: FireEye APT2... |
| S1145 | Pikabot | Malware | Some versions of [Pikabot](https://attack.mitre.org/software/S1145) build the final PE payload in memory to avoid writing contents to disk on the exec... |
| S0269 | QUADAGENT | Malware | [QUADAGENT](https://attack.mitre.org/software/S0269) stores a session identifier unique to the compromised system as well as a pre-shared key used for... |
| S0511 | RegDuke | Malware | [RegDuke](https://attack.mitre.org/software/S0511) can store its encryption key in the Registry.(Citation: ESET Dukes October 2019) |
| S0665 | ThreatNeedle | Malware | [ThreatNeedle](https://attack.mitre.org/software/S0665) can save its configuration data as a RC4-encrypted Registry key under `HKLM\SOFTWARE\Microsoft... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) has the ability to store information regarding the C2 server and downloads in the Registry key <code>... |
References
- Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.
- Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.
- CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide, Release 7.x. Retrieved June 5, 2025.
- Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.
- Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023.
- Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.
- Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.
- Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
Frequently Asked Questions
What is T1027.011 (Fileless Storage)?
T1027.011 is a MITRE ATT&CK technique named 'Fileless Storage'. It belongs to the Stealth tactic(s). Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile f...
How can T1027.011 be detected?
Detection of T1027.011 (Fileless Storage) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.011?
There are 1 documented mitigations for T1027.011. Key mitigations include: Audit.
Which threat groups use T1027.011?
Known threat groups using T1027.011 include: APT32, Turla.