Detect Fileless Storage in Sumo Logic CSE
Adversaries may store data in fileless formats to conceal malicious activity from defenses. Fileless storage includes the Windows Registry, event logs, WMI repository, and on Linux, shared memory directories (/dev/shm, /run/shm) and volatile paths (/tmp). Windows Registry-based storage is widely used by malware including QakBot, ComRAT, ShadowPad, DarkWatchman, Turla, APT32, and Volgmer to store encrypted configurations, payloads, and C2 data. Linux malware including FritzFrog (FrogShell), Muhstik, and others abuse /dev/shm and /run/shm to store binaries that are executed directly from shared memory without writing to persistent disk storage.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.011 Fileless Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1027/011/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceName=*Sysmon*)
| where EventID = 13 OR EventCode = "13"
| parse field=Message "TargetObject: *\nDetails: *\nImage: *" as TargetObject, Details, Image nodrop
| if (isNull(Details), "", Details) as Details
| if (isNull(TargetObject), "", TargetObject) as TargetObject
| length(Details) as DataLength
| if (matches(Details, "4D5A|TVqQ|\\bMZ\\b"), 1, 0) as IsPEInRegistry
| if (DataLength > 5000 AND matches(Details, "^[A-Za-z0-9+/=]+$"), 1, 0) as IsLargeBase64
| if (matches(toLowerCase(TargetObject), "shellcompat|printconfig|microsoft\\\\drm|applicationcontainer|\\\\plus$|gameconfiguration|scconfig"), 1, 0) as IsSuspiciousKey
| where IsPEInRegistry = 1 OR IsLargeBase64 = 1 OR IsSuspiciousKey = 1
| where !matches(toLowerCase(TargetObject), "currentcontrolset\\\\services|winlogon")
| fields _messageTime, _sourceHost, UserName, TargetObject, Details, Image, DataLength, IsPEInRegistry, IsLargeBase64, IsSuspiciousKey
| sort by DataLength desc
/* Linux fileless execution — run as separate query */
/* (_sourceCategory=*linux* OR _sourceCategory=*audit* OR _sourceCategory=*osquery*)
| where matches(_raw, "/dev/shm|/run/shm|memfd_create|/tmp/\\.")
| where !matches(_raw, "python|java|node|nodejs|ruby|perl|dbus")
| parse field=_raw "*" as cmdline nodrop
| fields _messageTime, _sourceHost, cmdline
*/Sumo Logic detection for T1027.011 targeting Windows Sysmon Event ID 13 (RegistryValueSet) to flag fileless payload staging via PE magic bytes in registry value data, oversized Base64 blobs exceeding 5000 characters, and writes to registry key paths associated with known malware families. Detection fields are parsed from Sysmon's XML-structured message format. A commented secondary search block covers Linux fileless execution from /dev/shm and /run/shm.
Data Sources
Required Tables
False Positives & Tuning
- Windows Content Delivery Manager and feature update mechanisms that temporarily store encoded payload manifests in non-standard HKLM or HKCU Software subkeys during OS update staging
- Enterprise security products (CrowdStrike, Carbon Black, Cylance) that write encrypted scan results, quarantine metadata, or configuration blobs to HKCU\Software\ApplicationContainer or similar paths — triggering on both path pattern and data size
- Electron-based desktop applications (VS Code, Slack, Microsoft Teams, Obsidian) that persist Base64-encoded state, session tokens, or workspace configuration in HKCU\Software subkeys that can exceed 5000 characters
Other platforms for T1027.011
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Store Base64-Encoded Payload in Registry (QakBot/Sibot Pattern)
Expected signal: Sysmon Event ID 12 (Registry Key Creation): new key under HKCU\Software\Microsoft. Sysmon Event ID 13 (Registry Value Set): Config value with Base64 data. PowerShell ScriptBlock Log Event ID 4104: New-ItemProperty command with Base64 value.
- Test 2Store Encrypted Configuration in Non-Standard Registry Path
Expected signal: Sysmon Event ID 12/13: registry key and value creation at HKCU\Software\ApplicationContainer\Appsw64. The Appsw64 key path matches Valak malware's known storage location. Process creation for reg.exe.
- Test 3Execute Binary from Linux Shared Memory (/dev/shm)
Expected signal: Process creation events for cp, chmod, and /dev/shm/fileless_test. Auditd execve records showing execution from /dev/shm path. Process listing would show exe=/dev/shm/fileless_test for the running process.
- Test 4WMI-Based Fileless Storage (Event Subscription)
Expected signal: Sysmon Event ID 19 (WMI Event Filter Activity): new filter created. WMI provider host (WmiPrvSE.exe) activity. The filter is stored in the WMI repository database, not as a file.
References (5)
- https://attack.mitre.org/techniques/T1027/011/
- https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
- https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
Unlock Pro Content
Get the full detection package for T1027.011 including response playbook, investigation guide, and atomic red team tests.