|T1027.004||Compile After Delivery|
|T1027.005||Indicator Removal from Tools|
|T1027.007||Dynamic API Resolution|
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.
Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.
Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.
Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g.,
%SystemRoot%\System32\Wbem\Repository) or Registry (e.g.,
%SystemRoot%\System32\Config) physical files.
APT32's backdoor has stored its configuration in a registry key.
Some versions of Chaes stored its instructions (otherwise in a
CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.
ComRAT has stored encrypted orchestrator code and payloads in the Registry.
DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.
|S0343||Exaramel for Windows||
Exaramel for Windows stores the backdoor's configuration in the Registry in XML format.
Grandoreiro can store its configuration in the Registry at
Mosquito stores configuration values under the Registry key
NETWIRE can store its configuration information in the Registry under
During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.
Pillowmint has stored a compressed payload in the Registry key
PipeMon has stored its encrypted payload in the Registry under
PolyglotDuke can store encrypted JSON configuration files in the Registry.
QakBot can store its configuration information in a randomly named subkey under
QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as
RCSession can store its obfuscated configuration file in the Registry under
REvil can save encryption parameters and system information in the Registry.
ShadowPad maintains a configuration block and virtual file system in the Registry.
Sibot has installed a second-stage script in the
SysUpdate can store its encoded configuration file within
ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under
TinyTurla can save its configuration parameters in the Registry.
Turla has used the Registry to store encrypted and encoded payloads.
TYPEFRAME can install and store encrypted configuration data under the Registry key
Valak has the ability to store information regarding the C2 server and downloads in the Registry key
Volgmer stores an encoded configuration file in
Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.
|ID||Data Source||Data Component||Detects|
|DS0024||Windows Registry||Windows Registry Key Creation||
Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.