T1027.011

Fileless Storage

Adversaries may store data in fileless formats to conceal malicious activity from defenses. Fileless storage includes the Windows Registry, event logs, WMI repository, and on Linux, shared memory directories (/dev/shm, /run/shm) and volatile paths (/tmp). Windows Registry-based storage is widely used by malware including QakBot, ComRAT, ShadowPad, DarkWatchman, Turla, APT32, and Volgmer to store encrypted configurations, payloads, and C2 data. Linux malware including FritzFrog (FrogShell), Muhstik, and others abuse /dev/shm and /run/shm to store binaries that are executed directly from shared memory without writing to persistent disk storage.

Microsoft Sentinel / Defender

kusto

let SuspiciousRegistryPaths = dynamic([
  "HKCU\\Software\\Microsoft\\[^\\\\]+$",
  "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility",
  "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs",
  "HKLM\\SOFTWARE\\Microsoft\\DRM",
  "HKLM\\SOFTWARE\\Classes\\.wav\\",
  "HKCU\\Software\\ApplicationContainer\\",
  "HKLM\\SOFTWARE\\Plus",
  "HKCU\\SOFTWARE\\Plus"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryValueData has_any ("MZ", "TVqQ", "4D5A") // PE magic bytes in Base64 or hex
    or (strlen(RegistryValueData) > 10000
        and (RegistryValueData matches regex @"^[A-Za-z0-9+/=]{100,}$"))  // Large Base64 blob
| where RegistryKey !startswith "HKLM\\SYSTEM\\CurrentControlSet\\Services\\"
    and RegistryKey !startswith "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName,
         RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Some legitimate software stores large Base64-encoded configuration or license data in registry values
Group Policy preferences that store Base64-encoded data in registry keys for computer configuration
Certificate enrollment and management software that stores certificate data in registry values
Backup and synchronization tools that cache serialized objects (sometimes Base64-encoded) in registry

Elastic Security (EQL)

eql

registry where
  event.action in ("RegistryValueSet", "modification", "creation") and
  (
    any registry.data.strings : ("*MZ*", "*TVqQ*", "*4D5A*") or
    (
      length(registry.data.strings[0]) > 5000 and
      match(registry.data.strings[0], """^[A-Za-z0-9+/=]{100,}$""")
    ) or
    registry.path : (
      "*\\ShellCompatibility*",
      "*\\PrintConfigs*",
      "*\\Microsoft\\DRM*",
      "*\\ApplicationContainer*",
      "*\\Plus",
      "*\\GameConfiguration*",
      "*\\ScConfig*"
    )
  ) and
  not registry.path : (
    "HKLM\\SYSTEM\\CurrentControlSet\\Services\\*",
    "*\\Windows NT\\CurrentVersion\\Winlogon*"
  )

/* Companion query for Linux fileless execution — run separately */
/* process where
  host.os.type == "linux" and
  event.type == "start" and
  (
    process.command_line : ("*/dev/shm/*", "*/run/shm/*", "*memfd_create*", "*/tmp/.*") or
    process.executable : ("/dev/shm/*", "/run/shm/*")
  ) and
  not process.name : ("python", "python3", "java", "node", "nodejs", "ruby", "perl", "Xorg", "dbus-daemon")
*/

high severity medium confidence

Data Sources

Elastic Endpoint Security (endpoint.events.registry) Winlogbeat with Sysmon module Auditbeat (Linux process events)

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate DRM software (Adobe, Microsoft PlayReady, Widevine) writing large encrypted license blobs to HKLM\SOFTWARE\Microsoft\DRM — will trigger on registry path pattern match
Enterprise software deployment tools (SCCM client, Chocolatey, Tanium) that temporarily stage Base64-encoded installer payloads in HKCU or HKLM Software subkeys during silent installation workflows
Linux applications using POSIX shared memory (shm_open) for high-performance IPC — common in PostgreSQL (shared_buffers), multimedia frameworks (PulseAudio), and scientific computing libraries that create files in /dev/shm or execute helpers from those paths

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "TargetObject" AS RegistryKey,
  "Details" AS RegistryValueData,
  STRLEN(COALESCE("Details", '')) AS DataLength,
  "Image" AS InitiatingProcess,
  CASE
    WHEN "Details" ILIKE '%4D5A%' OR "Details" ILIKE '%TVqQ%' THEN 'PE_MAGIC_BYTES'
    WHEN STRLEN(COALESCE("Details", '')) > 5000 THEN 'LARGE_BASE64_BLOB'
    ELSE 'SUSPICIOUS_KEY_PATH'
  END AS DetectionReason
FROM events
WHERE
  eventid = '13'
  AND (
    "Details" ILIKE '%4D5A%'
    OR "Details" ILIKE '%TVqQ%'
    OR "Details" ILIKE '%MZ%'
    OR (
      STRLEN(COALESCE("Details", '')) > 5000
      AND MATCHES("Details", '^[A-Za-z0-9+/=]+$')
    )
    OR LOWER(COALESCE("TargetObject", '')) LIKE '%shellcompatib%'
    OR LOWER(COALESCE("TargetObject", '')) LIKE '%printconfig%'
    OR LOWER(COALESCE("TargetObject", '')) LIKE '%microsoft\\drm%'
    OR LOWER(COALESCE("TargetObject", '')) LIKE '%applicationcontainer%'
    OR LOWER(COALESCE("TargetObject", '')) LIKE '%\\plus'
    OR LOWER(COALESCE("TargetObject", '')) LIKE '%gameconfiguration%'
  )
  AND LOWER(COALESCE("TargetObject", '')) NOT LIKE '%currentcontrolset\\services%'
  AND LOWER(COALESCE("TargetObject", '')) NOT LIKE '%winlogon%'
  AND starttime > NOW() - 86400000
ORDER BY DataLength DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via WinCollect Agent Microsoft Windows Event Log DSM (Universal DSM with Sysmon parsing) QRadar Log Source: Microsoft Sysmon

Required Tables

events

False Positives

Legitimate Microsoft or third-party DRM software (Adobe Creative Cloud, PlayReady, Widevine) writing large encrypted license blobs to HKLM\SOFTWARE\Microsoft\DRM paths — triggers on both the key path pattern and potentially on large data size
Enterprise endpoint management agents (BigFix IEM, Tanium, SCCM) that serialize and store Base64-encoded configuration or policy blobs in HKLM or HKCU Software paths during agent check-ins or policy enforcement
Custom LOB applications that store application state, certificates, or encoded configuration payloads in registry keys with names that inadvertently match suspicious path patterns (e.g., applications with 'Plus' in their registry namespace)

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceName=*Sysmon*)
| where EventID = 13 OR EventCode = "13"
| parse field=Message "TargetObject: *\nDetails: *\nImage: *" as TargetObject, Details, Image nodrop
| if (isNull(Details), "", Details) as Details
| if (isNull(TargetObject), "", TargetObject) as TargetObject
| length(Details) as DataLength
| if (matches(Details, "4D5A|TVqQ|\\bMZ\\b"), 1, 0) as IsPEInRegistry
| if (DataLength > 5000 AND matches(Details, "^[A-Za-z0-9+/=]+$"), 1, 0) as IsLargeBase64
| if (matches(toLowerCase(TargetObject), "shellcompat|printconfig|microsoft\\\\drm|applicationcontainer|\\\\plus$|gameconfiguration|scconfig"), 1, 0) as IsSuspiciousKey
| where IsPEInRegistry = 1 OR IsLargeBase64 = 1 OR IsSuspiciousKey = 1
| where !matches(toLowerCase(TargetObject), "currentcontrolset\\\\services|winlogon")
| fields _messageTime, _sourceHost, UserName, TargetObject, Details, Image, DataLength, IsPEInRegistry, IsLargeBase64, IsSuspiciousKey
| sort by DataLength desc

/* Linux fileless execution — run as separate query */
/* (_sourceCategory=*linux* OR _sourceCategory=*audit* OR _sourceCategory=*osquery*)
| where matches(_raw, "/dev/shm|/run/shm|memfd_create|/tmp/\\.")
| where !matches(_raw, "python|java|node|nodejs|ruby|perl|dbus")
| parse field=_raw "*" as cmdline nodrop
| fields _messageTime, _sourceHost, cmdline
*/

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (Windows Event Log source) Linux Audit Log or Syslog via Installed Collector osquery via Sumo Logic osquery integration

Required Tables

_sourceCategory (deployment-specific — configure to match Sysmon and Linux audit log ingestion paths)

False Positives

Windows Content Delivery Manager and feature update mechanisms that temporarily store encoded payload manifests in non-standard HKLM or HKCU Software subkeys during OS update staging
Enterprise security products (CrowdStrike, Carbon Black, Cylance) that write encrypted scan results, quarantine metadata, or configuration blobs to HKCU\Software\ApplicationContainer or similar paths — triggering on both path pattern and data size
Electron-based desktop applications (VS Code, Slack, Microsoft Teams, Obsidian) that persist Base64-encoded state, session tokens, or workspace configuration in HKCU\Software subkeys that can exceed 5000 characters

Google Chronicle / SecOps

yaral

rule T1027_011_Fileless_Storage_Registry {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.011 fileless payload storage via Windows Registry: PE magic bytes (MZ/4D5A/TVqQ), large Base64 blobs (>5000 chars), or writes to registry paths known to be abused by QakBot, Turla ComRAT, DarkWatchman, ShadowPad, and APT32."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.011"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1027/011/"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_value_data, `(?i)(4D5A|TVqQ)`) or
      (
        length($e.target.registry.registry_value_data) > 5000 and
        re.regex($e.target.registry.registry_value_data, `^[A-Za-z0-9+/=]{100,}$`)
      ) or
      re.regex($e.target.registry.registry_key, `(?i)(ShellCompatib|PrintConfig|Microsoft\\DRM|ApplicationContainer|\\Plus$|GameConfig|ScConfig)`)
    )
    not re.regex($e.target.registry.registry_key, `(?i)(CurrentControlSet\\Services|Winlogon)`)

  condition:
    $e
}

rule T1027_011_Fileless_Storage_Linux_SHM {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.011 fileless execution on Linux via process launches from /dev/shm, /run/shm, or using memfd_create — techniques used by FritzFrog (FrogShell), Muhstik, and other Linux malware to execute without writing to persistent disk."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.011"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1027/011/"

  events:
    $p.metadata.event_type = "PROCESS_LAUNCH"
    $p.principal.platform = "LINUX"
    re.regex($p.target.process.command_line, `(/dev/shm|/run/shm|memfd_create|/tmp/\.)`)
    not re.regex($p.target.process.file.full_path, `(python[23]?|java|node|ruby|perl|Xorg|dbus-daemon|pulseaudio)`)

  condition:
    $p
}

high severity medium confidence

Data Sources

Chronicle UDM (ingested via Google SecOps forwarder) Windows Event Forwarding to Chronicle Sysmon via Chronicle Windows Event Log ingestion Linux auditd or osquery forwarded to Chronicle

Required Tables

UDM event type: REGISTRY_MODIFICATION UDM event type: PROCESS_LAUNCH

False Positives

Legitimate Microsoft and third-party DRM clients (PlayReady, Widevine, Adobe) writing encrypted license data to HKLM\SOFTWARE\Microsoft\DRM — triggers on registry key path pattern in Rule 1
Container runtimes on Linux (Docker daemon, containerd, Kubernetes kubelet) that use POSIX shared memory segments in /dev/shm for inter-process coordination and may execute helper processes from those paths — triggers on Rule 2
Electron-based productivity apps (VS Code, Slack, Teams, Obsidian) that persist large Base64-encoded workspace state or encrypted session tokens in HKCU Software subkeys exceeding 5000 characters — triggers on Base64 blob size check in Rule 1

CrowdStrike LogScale (CQL)

cql

// Windows Registry Fileless Storage Detection
#event_simpleName=RegValueUpdate OR #event_simpleName=AsepValueUpdate
| TargetObject=*
| eval DataLength=len(RegStringValue)
| eval IsPEMagic=if(RegStringValue=/(4D5A|TVqQ)/i, "true", "false")
| eval IsLargeBase64=if(DataLength>5000 AND RegStringValue=/^[A-Za-z0-9+\/=]+$/, "true", "false")
| eval IsSuspiciousKey=if(TargetObject=/(ShellCompatib|PrintConfig|Microsoft\\DRM|ApplicationContainer|\\Plus$|GameConfig|ScConfig)/i, "true", "false")
| where IsPEMagic="true" OR IsLargeBase64="true" OR IsSuspiciousKey="true"
| where NOT TargetObject=/(CurrentControlSet\\Services|Winlogon)/i
| table([ComputerName, UserName, TargetObject, RegStringValue, DataLength, ImageFileName, IsPEMagic, IsLargeBase64, IsSuspiciousKey])
| sort(field=DataLength, order=desc)

// Linux Fileless Execution via Shared Memory — run separately
// #event_simpleName=ProcessRollup2
// | event_platform=Lin
// | CommandLine=/(dev\/shm|run\/shm|memfd_create|\/tmp\/\.)/
// | CommandLine!=/(python[23]?|java\b|\bnode\b|ruby|perl|Xorg|dbus)/
// | groupBy([ComputerName, UserName, FileName, CommandLine], function=count(as=EventCount))
// | sort(field=EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor v6.x+ (Endpoint Activity Monitor — Registry telemetry) CrowdStrike Falcon for Linux (kernel sensor — ProcessRollup2 events) Falcon Complete or Falcon Insight XDR with registry telemetry enabled

Required Tables

#event_simpleName=RegValueUpdate #event_simpleName=AsepValueUpdate #event_simpleName=ProcessRollup2 (Linux companion)

False Positives

CrowdStrike Falcon sensor itself and other EDR/AV products that write encrypted quarantine metadata, scan signatures, or configuration blobs to non-standard HKCU or HKLM Software paths — may trigger on both key path patterns and data size checks
Enterprise patch management platforms (Tanium, BigFix, PDQ Deploy) that stage Base64-encoded installer payloads or encoded policy manifests in registry keys prior to execution during patch deployment windows
Linux high-performance applications using POSIX shared memory (PostgreSQL with large shared_buffers, scientific computing tools, multimedia frameworks) that create files in /dev/shm and launch helper processes from those paths — triggers on the Linux companion query if uncommented

Last updated: 2026-04-13 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Fileless Storage

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections