title: Fileless Storage (T1027.011)
id: df00tech-t1027-011
status: experimental
description: "Adversaries may store data in fileless formats to conceal malicious activity from defenses. Fileless storage includes the Windows Registry, event logs, WMI repository, and on Linux, shared memory directories (/dev/shm, /run/shm) and volatile paths (/tmp). Windows Registry-based storage is widely used by malware including QakBot, ComRAT, ShadowPad, DarkWatchman, Turla, APT32, and Volgmer to store encrypted configurations, payloads, and C2 data. Linux malware including FritzFrog (FrogShell), Muhstik, and others abuse /dev/shm and /run/shm to store binaries that are executed directly from shared memory without writing to persistent disk storage."
references:
  - https://attack.mitre.org/techniques/T1027/011/
  - https://df00tech.com/detections/T1027.011
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Some legitimate software stores large Base64-encoded configuration or license data in registry values
  - Group Policy preferences that store Base64-encoded data in registry keys for computer configuration
  - Certificate enrollment and management software that stores certificate data in registry values
  - Backup and synchronization tools that cache serialized objects (sometimes Base64-encoded) in registry
level: high