Detect Fileless Storage in CrowdStrike LogScale
Adversaries may store data in fileless formats to conceal malicious activity from defenses. Fileless storage includes the Windows Registry, event logs, WMI repository, and on Linux, shared memory directories (/dev/shm, /run/shm) and volatile paths (/tmp). Windows Registry-based storage is widely used by malware including QakBot, ComRAT, ShadowPad, DarkWatchman, Turla, APT32, and Volgmer to store encrypted configurations, payloads, and C2 data. Linux malware including FritzFrog (FrogShell), Muhstik, and others abuse /dev/shm and /run/shm to store binaries that are executed directly from shared memory without writing to persistent disk storage.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.011 Fileless Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1027/011/
LogScale Detection Query
// Windows Registry Fileless Storage Detection
#event_simpleName=RegValueUpdate OR #event_simpleName=AsepValueUpdate
| TargetObject=*
| eval DataLength=len(RegStringValue)
| eval IsPEMagic=if(RegStringValue=/(4D5A|TVqQ)/i, "true", "false")
| eval IsLargeBase64=if(DataLength>5000 AND RegStringValue=/^[A-Za-z0-9+\/=]+$/, "true", "false")
| eval IsSuspiciousKey=if(TargetObject=/(ShellCompatib|PrintConfig|Microsoft\\DRM|ApplicationContainer|\\Plus$|GameConfig|ScConfig)/i, "true", "false")
| where IsPEMagic="true" OR IsLargeBase64="true" OR IsSuspiciousKey="true"
| where NOT TargetObject=/(CurrentControlSet\\Services|Winlogon)/i
| table([ComputerName, UserName, TargetObject, RegStringValue, DataLength, ImageFileName, IsPEMagic, IsLargeBase64, IsSuspiciousKey])
| sort(field=DataLength, order=desc)
// Linux Fileless Execution via Shared Memory — run separately
// #event_simpleName=ProcessRollup2
// | event_platform=Lin
// | CommandLine=/(dev\/shm|run\/shm|memfd_create|\/tmp\/\.)/
// | CommandLine!=/(python[23]?|java\b|\bnode\b|ruby|perl|Xorg|dbus)/
// | groupBy([ComputerName, UserName, FileName, CommandLine], function=count(as=EventCount))
// | sort(field=EventCount, order=desc)CrowdStrike Falcon LogScale (CQL) detection for T1027.011 using Falcon endpoint telemetry. Primary query targets RegValueUpdate and AsepValueUpdate events to identify PE magic bytes (4D5A/TVqQ) or large Base64 blobs in registry value string data, and flags writes to registry key paths associated with known malware families (QakBot HKCU blob staging, Turla ComRAT, DarkWatchman). Confidence is medium because Falcon's registry telemetry field coverage (RegStringValue) is conditional on sensor configuration and may not capture all value types. Linux coverage provided via commented ProcessRollup2 companion query for /dev/shm and memfd_create execution patterns.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself and other EDR/AV products that write encrypted quarantine metadata, scan signatures, or configuration blobs to non-standard HKCU or HKLM Software paths — may trigger on both key path patterns and data size checks
- Enterprise patch management platforms (Tanium, BigFix, PDQ Deploy) that stage Base64-encoded installer payloads or encoded policy manifests in registry keys prior to execution during patch deployment windows
- Linux high-performance applications using POSIX shared memory (PostgreSQL with large shared_buffers, scientific computing tools, multimedia frameworks) that create files in /dev/shm and launch helper processes from those paths — triggers on the Linux companion query if uncommented
Other platforms for T1027.011
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Store Base64-Encoded Payload in Registry (QakBot/Sibot Pattern)
Expected signal: Sysmon Event ID 12 (Registry Key Creation): new key under HKCU\Software\Microsoft. Sysmon Event ID 13 (Registry Value Set): Config value with Base64 data. PowerShell ScriptBlock Log Event ID 4104: New-ItemProperty command with Base64 value.
- Test 2Store Encrypted Configuration in Non-Standard Registry Path
Expected signal: Sysmon Event ID 12/13: registry key and value creation at HKCU\Software\ApplicationContainer\Appsw64. The Appsw64 key path matches Valak malware's known storage location. Process creation for reg.exe.
- Test 3Execute Binary from Linux Shared Memory (/dev/shm)
Expected signal: Process creation events for cp, chmod, and /dev/shm/fileless_test. Auditd execve records showing execution from /dev/shm path. Process listing would show exe=/dev/shm/fileless_test for the running process.
- Test 4WMI-Based Fileless Storage (Event Subscription)
Expected signal: Sysmon Event ID 19 (WMI Event Filter Activity): new filter created. WMI provider host (WmiPrvSE.exe) activity. The filter is stored in the WMI repository database, not as a file.
References (5)
- https://attack.mitre.org/techniques/T1027/011/
- https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
- https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
Unlock Pro Content
Get the full detection package for T1027.011 including response playbook, investigation guide, and atomic red team tests.