|T1027.004||Compile After Delivery|
|T1027.005||Indicator Removal from Tools|
|T1027.007||Dynamic API Resolution|
|T1027.012||LNK Icon Smuggling|
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.
Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.
Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.
Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g.,
%SystemRoot%\System32\Wbem\Repository) or Registry (e.g.,
%SystemRoot%\System32\Config) physical files.
|S0343||Exaramel for Windows|
QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as
TYPEFRAME can install and store encrypted configuration data under the Registry key
Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.
|ID||Data Source||Data Component||Detects|
|DS0024||Windows Registry||Windows Registry Key Creation||
Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.