Detect Fileless Storage in Google Chronicle
Adversaries may store data in fileless formats to conceal malicious activity from defenses. Fileless storage includes the Windows Registry, event logs, WMI repository, and on Linux, shared memory directories (/dev/shm, /run/shm) and volatile paths (/tmp). Windows Registry-based storage is widely used by malware including QakBot, ComRAT, ShadowPad, DarkWatchman, Turla, APT32, and Volgmer to store encrypted configurations, payloads, and C2 data. Linux malware including FritzFrog (FrogShell), Muhstik, and others abuse /dev/shm and /run/shm to store binaries that are executed directly from shared memory without writing to persistent disk storage.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.011 Fileless Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1027/011/
YARA-L Detection Query
rule T1027_011_Fileless_Storage_Registry {
meta:
author = "Argus Detection Engineering"
description = "Detects T1027.011 fileless payload storage via Windows Registry: PE magic bytes (MZ/4D5A/TVqQ), large Base64 blobs (>5000 chars), or writes to registry paths known to be abused by QakBot, Turla ComRAT, DarkWatchman, ShadowPad, and APT32."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.011"
severity = "HIGH"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1027/011/"
events:
$e.metadata.event_type = "REGISTRY_MODIFICATION"
(
re.regex($e.target.registry.registry_value_data, `(?i)(4D5A|TVqQ)`) or
(
length($e.target.registry.registry_value_data) > 5000 and
re.regex($e.target.registry.registry_value_data, `^[A-Za-z0-9+/=]{100,}$`)
) or
re.regex($e.target.registry.registry_key, `(?i)(ShellCompatib|PrintConfig|Microsoft\\DRM|ApplicationContainer|\\Plus$|GameConfig|ScConfig)`)
)
not re.regex($e.target.registry.registry_key, `(?i)(CurrentControlSet\\Services|Winlogon)`)
condition:
$e
}
rule T1027_011_Fileless_Storage_Linux_SHM {
meta:
author = "Argus Detection Engineering"
description = "Detects T1027.011 fileless execution on Linux via process launches from /dev/shm, /run/shm, or using memfd_create — techniques used by FritzFrog (FrogShell), Muhstik, and other Linux malware to execute without writing to persistent disk."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.011"
severity = "HIGH"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1027/011/"
events:
$p.metadata.event_type = "PROCESS_LAUNCH"
$p.principal.platform = "LINUX"
re.regex($p.target.process.command_line, `(/dev/shm|/run/shm|memfd_create|/tmp/\.)`)
not re.regex($p.target.process.file.full_path, `(python[23]?|java|node|ruby|perl|Xorg|dbus-daemon|pulseaudio)`)
condition:
$p
}Two Chronicle YARA-L 2.0 rules detecting T1027.011. Rule 1 (Windows Registry) matches REGISTRY_MODIFICATION events with PE magic bytes, large Base64-encoded blobs, or key paths used by known malware for fileless C2 config/payload storage. Rule 2 (Linux SHM) matches PROCESS_LAUNCH events on Linux hosts where the process executes from /dev/shm, /run/shm, or uses memfd_create — primary techniques of FritzFrog, Muhstik, and similar Linux implants. Both exclude common legitimate runtimes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Microsoft and third-party DRM clients (PlayReady, Widevine, Adobe) writing encrypted license data to HKLM\SOFTWARE\Microsoft\DRM — triggers on registry key path pattern in Rule 1
- Container runtimes on Linux (Docker daemon, containerd, Kubernetes kubelet) that use POSIX shared memory segments in /dev/shm for inter-process coordination and may execute helper processes from those paths — triggers on Rule 2
- Electron-based productivity apps (VS Code, Slack, Teams, Obsidian) that persist large Base64-encoded workspace state or encrypted session tokens in HKCU Software subkeys exceeding 5000 characters — triggers on Base64 blob size check in Rule 1
Other platforms for T1027.011
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Store Base64-Encoded Payload in Registry (QakBot/Sibot Pattern)
Expected signal: Sysmon Event ID 12 (Registry Key Creation): new key under HKCU\Software\Microsoft. Sysmon Event ID 13 (Registry Value Set): Config value with Base64 data. PowerShell ScriptBlock Log Event ID 4104: New-ItemProperty command with Base64 value.
- Test 2Store Encrypted Configuration in Non-Standard Registry Path
Expected signal: Sysmon Event ID 12/13: registry key and value creation at HKCU\Software\ApplicationContainer\Appsw64. The Appsw64 key path matches Valak malware's known storage location. Process creation for reg.exe.
- Test 3Execute Binary from Linux Shared Memory (/dev/shm)
Expected signal: Process creation events for cp, chmod, and /dev/shm/fileless_test. Auditd execve records showing execution from /dev/shm path. Process listing would show exe=/dev/shm/fileless_test for the running process.
- Test 4WMI-Based Fileless Storage (Event Subscription)
Expected signal: Sysmon Event ID 19 (WMI Event Filter Activity): new filter created. WMI provider host (WmiPrvSE.exe) activity. The filter is stored in the WMI repository database, not as a file.
References (5)
- https://attack.mitre.org/techniques/T1027/011/
- https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
- https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
Unlock Pro Content
Get the full detection package for T1027.011 including response playbook, investigation guide, and atomic red team tests.