Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1027.011: Fileless Storage

Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.[1][2] Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.[3][4][5][6][7].

Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.[8]

Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.

Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.[1]

EnterpriseT1027.011Sub-techniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Fileless Storage matters because important attacker data may not appear as normal files on disk. In this ATT&CK entry, adversaries may hide payloads, shellcode, or staged data in places such as the Windows Registry, WMI repository, event logs, or Linux shared-memory/volatile directories. For leaders, the key issue is assurance: endpoint tools and audit programs that mainly inspect ordinary files may miss evidence needed for containment, investigation, and compliance reporting.

Executive priority

Treat this as a coverage-validation item for Windows and Linux environments, especially where business continuity depends on rapid incident scoping. Ask whether SOC and IR teams can inspect Registry, WMI, event log, and Linux shared-memory locations—not just file paths on disk. This also supports audit readiness: M1047 Audit is the supplied mitigation relationship, so organizations should be able to show that relevant activity and configuration changes are recorded and reviewed.

Technical view

ATT&CK lists this as a stealth sub-technique of T1027 Obfuscated Files or Information for Linux and Windows. The defensive validation should focus on whether telemetry exposes non-traditional storage locations named in the object: Windows Registry, WMI repository, event logs, and Linux directories such as /dev/shm, /run/shm, /var/run, and /var/lock. The related detection strategy DET0344 specifically points to Registry, WMI, and shared memory, so detection engineering should test visibility and alert logic across those storage classes rather than relying only on antivirus or disk-file scanning.

Likely telemetry

  • Windows Registry auditing and change events for unusual data storage patterns
  • WMI activity and repository-related telemetry, including changes in %SystemRoot%\System32\Wbem\Repository where available
  • Windows event log activity that may indicate abnormal storage or manipulation of log-backed data
  • Process creation and command-line telemetry showing access to Registry, WMI, event logs, or shared-memory paths
  • Linux file and process telemetry for writes or execution involving /dev/shm, /run/shm, /var/run, and /var/lock

Detection direction

  • Validate DET0344-aligned coverage for Registry, WMI, and shared-memory storage rather than assuming file-based malware detection is sufficient.
  • Tune detections around unusual volume, entropy, encoded content, or executable behavior associated with non-file storage locations, while accounting for legitimate administrative and application use.
  • On Linux, test whether monitoring covers shared-memory and volatile directories, particularly where read-only filesystem assumptions may create a blind spot.
  • For Windows investigations, ensure responders can inspect central but harder-to-review artifacts such as Registry and WMI repository-backed physical files.
  • Correlate storage anomalies with persistence or local data staging hypotheses, since the ATT&CK description notes fileless storage may hide payloads or collected data awaiting exfiltration.

Mitigation priorities

  • Prioritize M1047 Audit: confirm that relevant system logs, user activity, configuration changes, Registry/WMI activity, and Linux shared-memory directory activity are recorded and reviewed.
  • Create audit evidence showing which Windows and Linux storage locations are monitored, retained, and available to SOC and IR teams.
  • Include these locations in incident response collection plans so investigations do not depend only on normal filesystem triage.
  • Review audit configurations regularly, because this technique is specifically valuable when defenders lack visibility into non-file storage formats.
Analyst notes and limits

The object has no official ATT&CK detection text, but it has a relationship to DET0344, named Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory. The relationship set also shows use by multiple campaigns, groups, and software entries, which supports the defensive priority without implying current activity in any specific environment.

This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert active exploitation, customer exposure, or guaranteed detection. Local operating-system versions, audit policy, EDR capability, log retention, and IR collection procedures are required to determine actual coverage.

Official MITRE ATT&CK definition

Fileless Storage

Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.[1][2] Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.[3][4][5][6][7].

Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.[8]

Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.

Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information This object subtechnique of Obfuscated Files or Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0050: APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Malware Enterprise

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

Windows
Malware Enterprise

S0126: ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[1][2][3]

Windows
Malware Enterprise

S0596: ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [1][2][3]

Windows
Malware Enterprise

S0666: Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[1]

Windows
Malware Enterprise

S0022: Uroburos

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]

LinuxWindowsmacOS
Malware Enterprise

S0531: Grandoreiro

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[1][2]

Windows
Malware Enterprise

S0198: NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[1][2][3]

WindowsLinuxmacOS
Campaign Enterprise

C0055: Quad7 Activity

Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. [1] [2] The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner xlogin. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying alogin. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. [1][3] Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. [2]

Campaign Enterprise

C0012: Operation CuckooBees

Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]

Relationship explorer

All related ATT&CK context

uses · Malware S0673: DarkWatchman Enterprise uses · Malware S0518: PolyglotDuke Enterprise uses · Malware S0650: QakBot Enterprise uses · Malware S0263: TYPEFRAME Enterprise mitigates · Mitigation M1047: Audit Enterprise uses · Malware S0126: ComRAT Enterprise uses · Malware S0596: ShadowPad Enterprise detects · Detection Strategy DET0344: Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory Enterprise uses · Malware S0666: Gelsemium Enterprise uses · Malware S0022: Uroburos Enterprise uses · Malware S0663: SysUpdate Enterprise subtechnique of · Technique T1027: Obfuscated Files or Information Enterprise uses · Malware S0343: Exaramel for Windows Enterprise uses · Malware S0531: Grandoreiro Enterprise uses · Malware S0198: NETWIRE Enterprise uses · Malware S0517: Pillowmint Enterprise uses · Malware S0668: TinyTurla Enterprise uses · Malware S0023: CHOPSTICK Enterprise uses · Group G0050: APT32 Enterprise uses · Malware S1145: Pikabot Enterprise uses · Malware S0269: QUADAGENT Enterprise uses · Malware S0511: RegDuke Enterprise uses · Malware S0665: ThreatNeedle Enterprise uses · Campaign C0055: Quad7 Activity Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
072d99796960b993...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 072d99796960…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft Fileless

    Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.

    Open source URL
  2. [2]
    SecureList Fileless

    Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023.

    Open source URL
  3. [3]
    Elastic Binary Executed from Shared Memory Directory

    Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.

    Open source URL
  4. [4]
    Akami Frog4Shell 2024

    Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.

    Open source URL
  5. [5]
    Aquasec Muhstik Malware 2024

    Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.

    Open source URL
  6. [6]
    Bitsight 7777 Botnet

    Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.

    Open source URL
  7. [7]
    CISCO Nexus 900 Config

    CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide, Release 7.x. Retrieved June 5, 2025.

    Open source URL
  8. [8]
    Sysdig Fileless Malware 23022

    Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.

    Open source URL
  9. [9]
    mitre-attack T1027.011
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use