T1027.011 Elastic Security · Elastic

Detect Fileless Storage in Elastic Security

Adversaries may store data in fileless formats to conceal malicious activity from defenses. Fileless storage includes the Windows Registry, event logs, WMI repository, and on Linux, shared memory directories (/dev/shm, /run/shm) and volatile paths (/tmp). Windows Registry-based storage is widely used by malware including QakBot, ComRAT, ShadowPad, DarkWatchman, Turla, APT32, and Volgmer to store encrypted configurations, payloads, and C2 data. Linux malware including FritzFrog (FrogShell), Muhstik, and others abuse /dev/shm and /run/shm to store binaries that are executed directly from shared memory without writing to persistent disk storage.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.011 Fileless Storage
Canonical reference
https://attack.mitre.org/techniques/T1027/011/

Elastic Detection Query

Elastic Security (Elastic)
eql 
registry where
  event.action in ("RegistryValueSet", "modification", "creation") and
  (
    any registry.data.strings : ("*MZ*", "*TVqQ*", "*4D5A*") or
    (
      length(registry.data.strings[0]) > 5000 and
      match(registry.data.strings[0], """^[A-Za-z0-9+/=]{100,}$""")
    ) or
    registry.path : (
      "*\\ShellCompatibility*",
      "*\\PrintConfigs*",
      "*\\Microsoft\\DRM*",
      "*\\ApplicationContainer*",
      "*\\Plus",
      "*\\GameConfiguration*",
      "*\\ScConfig*"
    )
  ) and
  not registry.path : (
    "HKLM\\SYSTEM\\CurrentControlSet\\Services\\*",
    "*\\Windows NT\\CurrentVersion\\Winlogon*"
  )

/* Companion query for Linux fileless execution — run separately */
/* process where
  host.os.type == "linux" and
  event.type == "start" and
  (
    process.command_line : ("*/dev/shm/*", "*/run/shm/*", "*memfd_create*", "*/tmp/.*") or
    process.executable : ("/dev/shm/*", "/run/shm/*")
  ) and
  not process.name : ("python", "python3", "java", "node", "nodejs", "ruby", "perl", "Xorg", "dbus-daemon")
*/
high severity medium confidence

Detects T1027.011 Fileless Storage via Elastic EQL targeting Windows Registry events with PE magic bytes (MZ, 4D5A, TVqQ) or oversized Base64 blobs in registry value data, and registry key paths associated with malware payload staging (QakBot, Turla, DarkWatchman, ShadowPad, APT32). A commented companion query covers Linux fileless execution from /dev/shm and /run/shm via Elastic Endpoint or Auditbeat process telemetry.

Data Sources

Elastic Endpoint Security (endpoint.events.registry)Winlogbeat with Sysmon moduleAuditbeat (Linux process events)

Required Tables

logs-endpoint.events.registry-*logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Legitimate DRM software (Adobe, Microsoft PlayReady, Widevine) writing large encrypted license blobs to HKLM\SOFTWARE\Microsoft\DRM — will trigger on registry path pattern match
  • Enterprise software deployment tools (SCCM client, Chocolatey, Tanium) that temporarily stage Base64-encoded installer payloads in HKCU or HKLM Software subkeys during silent installation workflows
  • Linux applications using POSIX shared memory (shm_open) for high-performance IPC — common in PostgreSQL (shared_buffers), multimedia frameworks (PulseAudio), and scientific computing libraries that create files in /dev/shm or execute helpers from those paths
Download portable Sigma rule (.yml)

Other platforms for T1027.011

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Store Base64-Encoded Payload in Registry (QakBot/Sibot Pattern)

    Expected signal: Sysmon Event ID 12 (Registry Key Creation): new key under HKCU\Software\Microsoft. Sysmon Event ID 13 (Registry Value Set): Config value with Base64 data. PowerShell ScriptBlock Log Event ID 4104: New-ItemProperty command with Base64 value.

  2. Test 2Store Encrypted Configuration in Non-Standard Registry Path

    Expected signal: Sysmon Event ID 12/13: registry key and value creation at HKCU\Software\ApplicationContainer\Appsw64. The Appsw64 key path matches Valak malware's known storage location. Process creation for reg.exe.

  3. Test 3Execute Binary from Linux Shared Memory (/dev/shm)

    Expected signal: Process creation events for cp, chmod, and /dev/shm/fileless_test. Auditd execve records showing execution from /dev/shm path. Process listing would show exe=/dev/shm/fileless_test for the running process.

  4. Test 4WMI-Based Fileless Storage (Event Subscription)

    Expected signal: Sysmon Event ID 19 (WMI Event Filter Activity): new filter created. WMI provider host (WmiPrvSE.exe) activity. The filter is stored in the WMI repository database, not as a file.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1547.001Registry Run Keys / Startup FolderT1053.005Scheduled TaskT1059.001PowerShellT1112Modify RegistryT1620Reflective Code Loading

Same Tactic: Defense Evasion

Popular Detections