Skip to content

T1027.011 Fileless Storage

Adversaries may store data in “fileless” formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.21

Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.

Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.

Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., %SystemRoot%\System32\Wbem\Repository) or Registry (e.g., %SystemRoot%\System32\Config) physical files.2

Item Value
ID T1027.011
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Windows
Version 1.0
Created 23 March 2023
Last Modified 04 May 2023

Procedure Examples

ID Name Description
G0050 APT32 APT32‘s backdoor has stored its configuration in a registry key.38
S0631 Chaes Some versions of Chaes stored its instructions (otherwise in a instructions.ini file) in the Registry.18
S0023 CHOPSTICK CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.3
S0126 ComRAT ComRAT has stored encrypted orchestrator code and payloads in the Registry.87
S0673 DarkWatchman DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.37
S0343 Exaramel for Windows Exaramel for Windows stores the backdoor’s configuration in the Registry in XML format.27
S0666 Gelsemium Gelsemium can store its components in the Registry.9
S0531 Grandoreiro Grandoreiro can store its configuration in the Registry at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.24
S0256 Mosquito Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname].26
S0198 NETWIRE NETWIRE can store its configuration information in the Registry under HKCU:\Software\Netwire.25
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.41
S0517 Pillowmint Pillowmint has stored a compressed payload in the Registry key HKLM\SOFTWARE\Microsoft\DRM.6
S0501 PipeMon PipeMon has stored its encrypted payload in the Registry under HKLM\SOFTWARE\Microsoft\Print\Components\.34
S0518 PolyglotDuke PolyglotDuke can store encrypted JSON configuration files in the Registry.28
S0650 QakBot QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.3231
S0269 QUADAGENT QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as HKCU\Office365DCOMCheck) in the HKCU hive.36
S0662 RCSession RCSession can store its obfuscated configuration file in the Registry under HKLM\SOFTWARE\Plus or HKCU\SOFTWARE\Plus.3029
S0511 RegDuke RegDuke can store its encryption key in the Registry.28
S0496 REvil REvil can save encryption parameters and system information in the Registry.1114131210
S0596 ShadowPad ShadowPad maintains a configuration block and virtual file system in the Registry.54
S0589 Sibot Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.35
S0663 SysUpdate SysUpdate can store its encoded configuration file within Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.33
S0665 ThreatNeedle ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.23
S0668 TinyTurla TinyTurla can save its configuration parameters in the Registry.19
G0010 Turla Turla has used the Registry to store encrypted and encoded payloads.3940
S0263 TYPEFRAME TYPEFRAME can install and store encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.20
S0476 Valak Valak has the ability to store information regarding the C2 server and downloads in the Registry key HKCU\Software\ApplicationContainer\Appsw64.171516
S0180 Volgmer Volgmer stores an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.2122


ID Mitigation Description
M1047 Audit Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.


ID Data Source Data Component
DS0024 Windows Registry Windows Registry Key Creation
DS0005 WMI WMI Creation


  1. Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023. 

  2. Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023. 

  3. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  4. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  5. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  6. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  7. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  8. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  9. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  10. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  11. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  12. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  13. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  14. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  15. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  16. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. 

  17. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  18. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  19. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  20. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  21. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. 

  22. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. 

  23. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  24. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  25. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  26. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  27. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  28. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  29. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  30. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  31. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  32. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. 

  33. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  34. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  35. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  36. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  37. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  38. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  39. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  40. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  41. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.