MITRE ATT&CK Technique
Description
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config). Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022) Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.(Citation: Microsoft Fileless)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-03-23T19:55:25.546Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may store data in "fileless" formats to conceal '
'malicious activity from defenses. Fileless storage can be '
'broadly defined as any format other than a file. Common '
'examples of non-volatile fileless storage in Windows systems '
'include the Windows Registry, event logs, or WMI '
'repository.(Citation: Microsoft Fileless)(Citation: '
'SecureList Fileless) Shared memory directories on Linux '
'systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) '
'and volatile directories on Network Devices (`/tmp` and '
'`/volatile`) may also be considered fileless storage, as '
'files written to these directories are mapped directly to RAM '
'and not stored on the disk.(Citation: Elastic Binary Executed '
'from Shared Memory Directory)(Citation: Akami Frog4Shell '
'2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: '
'Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\n'
'\n'
'Similar to fileless in-memory behaviors such as [Reflective '
'Code Loading](https://attack.mitre.org/techniques/T1620) and '
'[Process '
'Injection](https://attack.mitre.org/techniques/T1055), '
'fileless data storage may remain undetected by anti-virus and '
'other endpoint security tools that can only access specific '
'file formats from disk storage. Leveraging fileless storage '
'may also allow adversaries to bypass the protections offered '
'by read-only file systems in Linux.(Citation: Sysdig Fileless '
'Malware 23022)\n'
'\n'
'Adversaries may use fileless storage to conceal various types '
'of stored data, including payloads/shellcode (potentially '
'being used as part of '
'[Persistence](https://attack.mitre.org/tactics/TA0003)) and '
'collected data not yet exfiltrated from the victim (e.g., '
'[Local Data '
'Staging](https://attack.mitre.org/techniques/T1074/001)). '
'Adversaries also often encrypt, encode, splice, or otherwise '
'obfuscate this fileless data when stored. \n'
'\n'
'Some forms of fileless storage activity may indirectly create '
'artifacts in the file system, but in central and otherwise '
'difficult to inspect formats such as the WMI (e.g., '
'`%SystemRoot%\\System32\\Wbem\\Repository`) or Registry '
'(e.g., `%SystemRoot%\\System32\\Config`) physical '
'files.(Citation: Microsoft Fileless) ',
'external_references': [{'external_id': 'T1027.011',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1027/011'},
{'description': ' Nitzan Yaakov. (2024, June 4). '
'Muhstik Malware Targets Message '
'Queuing Services Applications. '
'Retrieved September 24, 2024.',
'source_name': 'Aquasec Muhstik Malware 2024',
'url': 'https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/'},
{'description': 'Batista, João. Gi7w0rm. (2024, '
'August 27). Retrieved June 5, 2025.',
'source_name': 'Bitsight 7777 Botnet',
'url': 'https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet'},
{'description': 'CISCO. (2021, September 14). Cisco '
'Nexus 9000 Series NX-OS Fundamentals '
'Configuration Guide, Release 7.x. '
'Retrieved June 5, 2025.',
'source_name': 'CISCO Nexus 900 Config',
'url': 'https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x_chapter_01000.html'},
{'description': 'Elastic. (n.d.). Binary Executed '
'from Shared Memory Directory. '
'Retrieved September 24, 2024.',
'source_name': 'Elastic Binary Executed from Shared '
'Memory Directory',
'url': 'https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html'},
{'description': 'Legezo, D. (2022, May 4). A new '
'secret stash for “fileless” malware. '
'Retrieved March 23, 2023.',
'source_name': 'SecureList Fileless',
'url': 'https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/'},
{'description': 'Microsoft. (2023, February 6). '
'Fileless threats. Retrieved March '
'23, 2023.',
'source_name': 'Microsoft Fileless',
'url': 'https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats'},
{'description': 'Nicholas Lang. (2022, May 3). '
'Fileless malware mitigation. '
'Retrieved September 24, 2024.',
'source_name': 'Sysdig Fileless Malware 23022',
'url': 'https://sysdig.com/blog/containers-read-only-fileless-malware/'},
{'description': 'Ori David. (2024, February 1). '
'Frog4Shell — FritzFrog Botnet Adds '
'One-Days to Its Arsenal. Retrieved '
'September 24, 2024.',
'source_name': 'Akami Frog4Shell 2024',
'url': 'https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell'}],
'id': 'attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-06-05T15:30:20.139Z',
'name': 'Fileless Storage',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Christopher Peacock',
'Denise Tan',
'Mark Wee',
'Simona David',
'Xavier Rousseau',
'Vito Alfano, Group-IB'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Linux'],
'x_mitre_version': '2.1'}