Detect Fileless Storage in IBM QRadar
Adversaries may store data in fileless formats to conceal malicious activity from defenses. Fileless storage includes the Windows Registry, event logs, WMI repository, and on Linux, shared memory directories (/dev/shm, /run/shm) and volatile paths (/tmp). Windows Registry-based storage is widely used by malware including QakBot, ComRAT, ShadowPad, DarkWatchman, Turla, APT32, and Volgmer to store encrypted configurations, payloads, and C2 data. Linux malware including FritzFrog (FrogShell), Muhstik, and others abuse /dev/shm and /run/shm to store binaries that are executed directly from shared memory without writing to persistent disk storage.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.011 Fileless Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1027/011/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
username AS Username,
QIDNAME(qid) AS EventName,
"TargetObject" AS RegistryKey,
"Details" AS RegistryValueData,
STRLEN(COALESCE("Details", '')) AS DataLength,
"Image" AS InitiatingProcess,
CASE
WHEN "Details" ILIKE '%4D5A%' OR "Details" ILIKE '%TVqQ%' THEN 'PE_MAGIC_BYTES'
WHEN STRLEN(COALESCE("Details", '')) > 5000 THEN 'LARGE_BASE64_BLOB'
ELSE 'SUSPICIOUS_KEY_PATH'
END AS DetectionReason
FROM events
WHERE
eventid = '13'
AND (
"Details" ILIKE '%4D5A%'
OR "Details" ILIKE '%TVqQ%'
OR "Details" ILIKE '%MZ%'
OR (
STRLEN(COALESCE("Details", '')) > 5000
AND MATCHES("Details", '^[A-Za-z0-9+/=]+$')
)
OR LOWER(COALESCE("TargetObject", '')) LIKE '%shellcompatib%'
OR LOWER(COALESCE("TargetObject", '')) LIKE '%printconfig%'
OR LOWER(COALESCE("TargetObject", '')) LIKE '%microsoft\\drm%'
OR LOWER(COALESCE("TargetObject", '')) LIKE '%applicationcontainer%'
OR LOWER(COALESCE("TargetObject", '')) LIKE '%\\plus'
OR LOWER(COALESCE("TargetObject", '')) LIKE '%gameconfiguration%'
)
AND LOWER(COALESCE("TargetObject", '')) NOT LIKE '%currentcontrolset\\services%'
AND LOWER(COALESCE("TargetObject", '')) NOT LIKE '%winlogon%'
AND starttime > NOW() - 86400000
ORDER BY DataLength DESCQRadar AQL detection for T1027.011 querying Sysmon Event ID 13 (RegistryValueSet) events to identify PE magic bytes (MZ, 4D5A, TVqQ), large Base64-encoded blobs (>5000 chars), and writes to registry paths known to be abused for fileless payload storage by QakBot, Turla ComRAT, DarkWatchman, ShadowPad, and Volgmer. Results ordered by data size to surface the largest (most likely malicious) payloads first. Requires Sysmon deployed via WinCollect or Universal DSM with EventID 13 parsing.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Microsoft or third-party DRM software (Adobe Creative Cloud, PlayReady, Widevine) writing large encrypted license blobs to HKLM\SOFTWARE\Microsoft\DRM paths — triggers on both the key path pattern and potentially on large data size
- Enterprise endpoint management agents (BigFix IEM, Tanium, SCCM) that serialize and store Base64-encoded configuration or policy blobs in HKLM or HKCU Software paths during agent check-ins or policy enforcement
- Custom LOB applications that store application state, certificates, or encoded configuration payloads in registry keys with names that inadvertently match suspicious path patterns (e.g., applications with 'Plus' in their registry namespace)
Other platforms for T1027.011
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Store Base64-Encoded Payload in Registry (QakBot/Sibot Pattern)
Expected signal: Sysmon Event ID 12 (Registry Key Creation): new key under HKCU\Software\Microsoft. Sysmon Event ID 13 (Registry Value Set): Config value with Base64 data. PowerShell ScriptBlock Log Event ID 4104: New-ItemProperty command with Base64 value.
- Test 2Store Encrypted Configuration in Non-Standard Registry Path
Expected signal: Sysmon Event ID 12/13: registry key and value creation at HKCU\Software\ApplicationContainer\Appsw64. The Appsw64 key path matches Valak malware's known storage location. Process creation for reg.exe.
- Test 3Execute Binary from Linux Shared Memory (/dev/shm)
Expected signal: Process creation events for cp, chmod, and /dev/shm/fileless_test. Auditd execve records showing execution from /dev/shm path. Process listing would show exe=/dev/shm/fileless_test for the running process.
- Test 4WMI-Based Fileless Storage (Event Subscription)
Expected signal: Sysmon Event ID 19 (WMI Event Filter Activity): new filter created. WMI provider host (WmiPrvSE.exe) activity. The filter is stored in the WMI repository database, not as a file.
References (5)
- https://attack.mitre.org/techniques/T1027/011/
- https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
- https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
Unlock Pro Content
Get the full detection package for T1027.011 including response playbook, investigation guide, and atomic red team tests.