small align text-align-left refresh
Informational Series

What is Fileless Malware?

text_image_eight full_width

Featured Webinar

The Rise of Malware-less Attacks

The security industry is witnessing a rapid evolution in attack techniques—including advanced polymorphic malware and file-less attacks. In fact, according to the 2016 Verizon Data Breach Report, the majority of breaches (53%) involve no malware. Listen to Senior Analyst at Forrester Research, Chris Sherman, and Carbon Black’s VP, Product Management Paul Morville discuss new security threats and the need for a next generation of endpoint security.

Watch Now

basic_heading secondary align text-align-left color text-black refresh

Let’s Define Fileless Malware

text_image_eight full_width

Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.

Fileless malware sneaks in without using traditional executable files as a first level of attack like traditional malware. Rather than using malicious software or downloads of executable files as its primary entry point onto corporate networks, fileless malware often hides in memory or other difficult-to-detect locations. From there, it is written directly to RAM rather than to disk to execute a series of events, or is coupled with other attack vectors such as ransomware to accomplish its malicious intent.

And because fileless malware doesn’t write anything to disk like traditional malware does, it leaves no immediate trace of its existence behind and thus avoids detection by traditional antivirus security. Here are some potential attack scenarios of fileless malware that use commonplace software, applications, and protocols as a launching point for malicious activities:

  • A link in a legitimate-looking file loads into memory, and then remotely loads a script to go after confidential data that is sent back to the attacker.

  • Malicious code is injected into already installed applications – like Microsoft Word, Flash, Adobe PDF Reader, a web browser, or JavaScript – to target vulnerabilities and then execute malicious code.

  • Native system tools such as Microsoft Windows Management Instrumentation (WMI) and Microsoft PowerShell scripting languages that typically would be considered highly trusted, are targeted to get scripts to run remotely.

Once in, fileless malware can abuse legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network.


padding refresh
text_image_two refresh

What is a non-malware attack?

It's a term rising in prominence due its growing danger, but it's still leaving folks scratching their head trying to properly define. This episode of "The 101" provides a clear definition of what a non-malware attack is, along with a quick example to help explain exactly what it can do and why it is so dangerous today...

To view this and other episodes of "The 101" click here.

basic_heading secondary align text-align-left color text-black refresh

Security Personnel Are On High Alert

text_image_eight full_width

To get more insight into this increasingly pervasive attack method, Carbon Black recently interviewed over 400 security researchers who discussed non-malware attacks, artificial intelligence (AI) and machine learning (ML), among other topics.

padding refresh
three_up_bullets color bg-gray refresh

say their companies are experiencing an increasing number of fileless malware attacks


consider fileless malware attacks more threatening than traditional malware


of fileless malware attacks target customer data

text_image_eight full_width

The most common types of fileless attacks were:

  • Remote logins (55%)

  • WMI-based attacks (41%)

  • In-memory attacks (39%)

  • PowerShell-based attacks (34%)

  • Microsoft Office macros attacks (31%)

In addition to going after customer data, fileless malware attacks most commonly targeted corporate IP (53%), credentials (42%), and financial data (41%). Over half of fileless malware attacks we designed for service disruption.

What is Fileless Malware? Data Graphic
basic_heading secondary align text-align-left color text-black refresh

Industry Pulse: The Attacks Are Rapid-Fire and Intense

text_image_eight full_width

As seen above, fileless malware has security professionals on edge, for good reason. Fileless malware is relentless – and it’s growing rapidly.

basic_heading secondary align text-align-left color text-black refresh

The Answer: Monitor Event Streams To Uncover Malicious Intent

text_image_eight full_width

Because it doesn’t follow the typical known path traditional malware does, traditional antivirus solutions don’t stand a chance defending against fileless malware. In fact, in Carbon Black research, two thirds of security researchers said they were not confident legacy antivirus software could protect their organizations.

So what will work? The answer is to monitor a complete stream of events – how one individual event leads to and relates to another – to detect attackers leveraging these techniques

The underlying technology that supports these capabilities takes a fundamentally different approach than traditional antivirus software. It monitors the activity of users, applications and services, including related processes, inbound and outbound network traffic, requests to run applications, and changes to credentials or permission levels. In addition to monitoring each individual event, it keeps a record of what triggered it in the first place; this allows this streaming technology to not just monitor individual events on an endpoint, but rather monitor and analyze the relationships among them.

This naturally creates a high volume of data, which is why the cloud is an essential component to this approach. In the cloud, various analytic techniques like machine learning, behavioral analysis and event stream processing can be used to analyze the event streams, determine the risk of any given stream, and apply prevention policies against the stream should it exceed an acceptable level of risk.


text_image_eight full_width
Streaming Prevention Diagram

An unsuspecting employee visits a web page, loading Flash. But the website has been compromised, and a vulnerability in flash is exploited which invokes Powershell on the user’s machine. The attacker can do what he wishes without traditional antivirus detecting anything.

How can this be stopped?

  • Capture all events on the endpoint to see the full stream of activity

  • Tag each event to uncover the attack’s progression
  • Assess risk at every stage, blocking the attack when the threat is clear
text_image_eight full_width

Browsing the web, running Flash and invoking PowerShell are each, in their own right, viable and necessary events. However, when they appear as a stream of events, it becomes obvious that collectively they are being used in a fileless malware attack. This approach ultimately helps identify anomalous behavior that can then be tagged, flagged, and automatically shut down before attackers can carry out their harmful goals.

basic_heading secondary align text-align-left color text-black refresh

How to Detect and Deter Fileless Malware

To learn more about how to stop fileless malware attacks, access these resources:

resources refresh
basic_heading secondary align text-align-left color text-white refresh

Learn More About Carbon Black