Threats and vulnerabilitiesAdvanced27 min read

What Is Fileless malware? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Fileless malware is a cyberattack that doesn’t install a program file on your computer. Instead, it lives in your computer’s memory and uses trusted tools that are already on your system, like PowerShell or Windows Script Host. Because it doesn’t write a file to the hard drive, normal antivirus software often can’t see it. It is hard to detect and can steal data or spread without leaving obvious traces.

Commonly Confused With

Fileless malwarevsTrojan

A Trojan is a malicious program that disguises itself as a legitimate file. It typically writes a file to disk and requires the user to execute it. Fileless malware does not write a file to disk; it runs entirely in memory using built-in tools. A Trojan leaves a file that can be scanned; fileless malware does not.

A Trojan might appear as a free game installer that actually installs malware as a .exe file. Fileless malware would instead run a PowerShell command hidden in a Word macro that loads malicious code into memory.

Fileless malwarevsPolymorphic malware

Polymorphic malware changes its code signature each time it replicates to avoid signature-based detection, but it still exists as a file on disk. Fileless malware does not need to change its signature because it never writes a file to disk at all.

Polymorphic malware morphs its own file code like a chameleon changing colors. Fileless malware is like a ghost that never has a body to scan.

Fileless malwarevsRootkit

A rootkit is designed to hide the presence of other malware, often by modifying the operating system kernel or system drivers. It may install files or drivers. Fileless malware does not hide other malware; it is the attack itself, and it does not typically modify the kernel.

A rootkit might hide a malicious driver file. Fileless malware would use the system’s own PowerShell to execute code and avoid creating any file to hide.

Fileless malwarevsBootkit

A bootkit infects the master boot record (MBR) or UEFI firmware to load before the operating system. It persists on disk or in firmware. Fileless malware does not infect boot components; it operates after the OS is loaded, using administrative tools in memory.

A bootkit is like a squatter living in the foundation of a house. Fileless malware is like a guest using the furniture that is already in the house.

Fileless malwarevsRansomware

Ransomware typically encrypts files on disk and leaves a ransom note as a file. Fileless ransomware does exist, but it still uses memory-based techniques to perform encryption and communication. Most ransomware is file-based, whereas fileless malware is broader and may not involve encryption.

Traditional ransomware writes encrypted files and a note.txt. Fileless ransomware would encrypt files using a script loaded into memory and display a ransom message via a legitimate tool like Mshta.

Fileless malware appears directly in 15exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →

Must Know for Exams

Fileless malware is a high-priority topic across multiple IT certification exams, particularly those focused on security, cloud administration, and identity management. For the CompTIA Security+ (SY0-601 and SY0-701) exam, fileless malware appears under Objective 2.4 (Indicators of compromise) and Objective 4.2 (Implementing security measures). You may be asked to identify the characteristics of fileless malware, distinguish it from traditional malware, or recommend detection methods. Expect multiple-choice questions that describe a scenario where an antivirus scan finds nothing but suspicious PowerShell activity is detected, asking you to identify the attack type as fileless malware.

For the CompTIA CySA+ (CS0-002 or CS0-003), fileless malware is deeply integrated into the behavioral analytics and threat detection domain. You will need to understand how to analyze logs from PowerShell, WMI, and process creation events to identify fileless attacks. Questions may present a set of logs with anomalous cmdlet usage and ask you to determine the attack vector or the best course of action. The CySA+ exam also emphasizes memory forensics, so understanding how to use Volatility or similar tools to analyze memory dumps for fileless artifacts is beneficial.

In the ISC2 CISSP exam, fileless malware falls under Domain 7 (Security Operations) and Domain 4 (Identity and Access Management). The exam tests your ability to understand attack methods and design controls to mitigate them. You may see questions about living-off-the-land techniques, script-based attacks, and how to apply security controls like least privilege and application whitelisting to prevent fileless malware. The CISSP is conceptual, so you need to understand the broader strategy for defense.

For Microsoft-related exams like MD-102 (Endpoint Administrator), MS-102 (Microsoft 365 Administrator), and SC-900 (Security, Compliance, and Identity Fundamentals), fileless malware is relevant to understanding modern cyber threats against Microsoft platforms. The MD-102 exam covers endpoint security configurations such as attack surface reduction rules, Windows Defender Application Control, and PowerShell execution policies. The MS-102 exam tests your ability to configure Microsoft 365 Defender and investigate incidents involving fileless malware. The SC-900 exam expects a foundational understanding of common attack types, including fileless malware, as part of the security concepts domain.

For the Azure Administrator (AZ-104) exam, fileless malware is not a primary objective, but you may encounter it in context of securing Azure VMs with Microsoft Defender for Cloud. Understanding how fileless attacks can affect virtual machines will help you answer questions about enabling Defender for Cloud plans or interpreting security alerts. The AWS Solutions Architect (AWS-SAA) exam also touches on fileless malware indirectly through concepts like EC2 security groups, IAM roles, and the shared responsibility model, but it is not a core objective.

Common question patterns are scenario-based. You may be given a description of an attack where no unusual files were found but a user’s account was compromised and data was exfiltrated. The correct answer choice might be “fileless malware” or “script-based attack.” Other questions may ask you to identify the best mitigation, such as restricting PowerShell execution, enabling script block logging, or using endpoint detection and response (EDR). It is crucial to know that fileless malware is often associated with PowerShell, WMI, and registry persistence. Examiners love to use this term in distractor answers, so you must also be able to distinguish it from file-based malware, worms, or Trojans.

Simple Meaning

Think of your computer as a locked office building. Traditional malware is like a burglar who sneaks in through a window, sets up a hidden toolbox in a closet, and leaves that toolbox there for later use. Security guards can find the toolbox by checking every closet and drawer. Fileless malware is more like a burglar who convinces an employee to let them borrow the employee’s own keys and badge. The burglar never brings in any of their own tools; they just use what is already in the building, the office stapler, the printer, the conference room whiteboard, to cause damage. After the attack, they walk out, and the employee puts the keys back. There is no toolbox to find because the burglar never left anything physical behind.

In technical terms, fileless malware operates entirely in the computer’s random access memory (RAM). It does not write executable files to the hard drive. Instead, it exploits trusted system utilities that are built into the operating system, such as PowerShell, Windows Management Instrumentation (WMI), or the .NET framework. These tools are meant for system administrators to manage computers, but attackers misuse them to download payloads into memory, run malicious scripts, and carry out commands. Because these tools are already considered safe by security software, the malicious activity often goes unnoticed.

Another way to understand fileless malware is to compare it to a ghost. A ghost can move through walls and make things happen without anyone seeing its body. It uses the house’s own electricity and plumbing to create effects. In the same way, fileless malware uses the computer’s own memory and legitimate processes to operate. It doesn’t need to install a separate “body” file. This ghost-like nature makes it extremely difficult for traditional antivirus programs to catch, because those programs are designed to scan files on the hard drive, not the active memory.

Fileless malware often starts with a phishing email or a malicious website. When a user clicks a link or opens an attachment, a small script runs in memory. That script connects to a remote server controlled by the attacker, downloads more instructions, and then uses PowerShell to execute further commands. All of this happens without any file being saved to the hard drive. The attacker can steal credentials, move across the network, encrypt data for ransomware, or even take full control of the system. Because the activity looks like normal administrative work, it can evade detection by both antivirus and even some advanced endpoint detection tools.

Understanding fileless malware is important because it represents a shift in how cyberattacks work. Attackers have realized that instead of creating new malicious files that antivirus can fingerprint, they can exploit what is already on the system. This makes their attacks more stealthy and more successful. For IT professionals, especially those studying for security certifications, this concept is critical. It changes how you think about defense: instead of just blocking bad files, you must also monitor behavior, restrict legitimate tools, and use memory analysis to catch attacks in progress.

Full Technical Definition

Fileless malware refers to a category of malicious activity that does not rely on traditional executable files stored on disk. Instead, it operates entirely within the memory space of a computer, leveraging legitimate system administration tools and processes to execute its objectives. This technique is also known as memory-based malware or non-malware attack. The core of fileless malware lies in its ability to execute code without writing a persistent file to the file system, thereby bypassing signature-based detection mechanisms used by most antivirus and endpoint protection platforms.

The primary components of a fileless malware attack include an initial infection vector, a memory-based payload, and a living-off-the-land (LotL) methodology. The initial infection vector often involves social engineering, such as a phishing email containing a malicious document with embedded macros, or a drive-by download from a compromised website. Once the user interacts with the vector, a small piece of code, typically written in PowerShell, VBScript, or JavaScript, is loaded directly into memory. This code then reaches out to a command-and-control (C2) server over HTTP or HTTPS to download additional scripts or instructions, all of which remain in RAM.

Living-off-the-land refers to the use of built-in operating system tools that are already present and trusted. In Windows environments, common tools exploited include PowerShell, Windows Management Instrumentation (WMI), Windows Script Host (WSH), Mshta (the HTML Application host), and Regsvr32 (which registers DLLs). Attackers use these tools because they are digitally signed by Microsoft and are often allowed by security software to run without restrictions. For example, an attacker can use PowerShell to execute a script that performs reconnaissance, downloads a secondary payload, or modifies registry keys for persistence, all without ever writing a .ps1 file to disk. The script is loaded directly into PowerShell’s memory space.

Fileless malware can also leverage reflective DLL injection, where a DLL is loaded into a process’s memory without using the standard Windows loader. This technique avoids creating a file on disk and bypasses security tools that monitor file system writes. Another method is the use of WMI event subscriptions, which allow an attacker to set up a trigger that runs a malicious script whenever a specific event occurs, such as a user logging in. The WMI repository itself is a database stored on disk, but the scripts are often encoded and executed from memory.

Persistence mechanisms for fileless malware are also fileless. Instead of adding a startup program to the registry or creating a scheduled task that points to a file, attackers may write malicious scripts directly into the registry hive. These scripts are stored as registry values and executed by legitimate tools like PowerShell or Mshta at startup. For example, a registry run key might contain a PowerShell command as its value data. Because the value is not a traditional file, many antivirus scanners overlook it. This technique is known as registry-based persistence.

Detection of fileless malware requires a different approach than traditional antivirus. Since there is no file to scan, security professionals must rely on behavioral analysis, memory forensics, and logging of command execution. Tools like Microsoft Defender for Endpoint, Sysmon, and process monitor can capture command-line arguments, network connections, and process creation events. Anomalous behavior such as PowerShell spawning unknown network connections, WMI being used to create suspicious processes, or Mshta executing script from the internet are red flags. Memory analysis tools like Volatility can dump and analyze the contents of RAM to find malicious code that never touched the disk.

In cloud environments, such as those relevant to the AWS Solutions Architect (AWS-SAA) and Azure Administrator (AZ-104) exams, fileless malware can target virtual machines through insecure configuration, like unpatched software or overly permissive IAM roles. Attackers may use PowerShell remoting or WMI over WinRM to move laterally within a cloud environment without deploying files. In Microsoft 365 environments, fileless techniques can be used to compromise user accounts through phishing and then abuse PowerShell to extract mailbox data or run phishing campaigns from within the tenant. The SC-900 and MS-102 exams emphasize understanding these attack vectors and the corresponding security controls, such as conditional access policies and identity protection.

The technical challenge of combating fileless malware has led to the development of next-generation antivirus (NGAV) solutions that combine machine learning, behavior monitoring, and heuristics. These tools do not rely solely on file signatures but analyze process behavior in real time. Attack surface reduction rules, such as blocking PowerShell from running from the internet or restricting script execution policies, can mitigate many fileless attacks. IT professionals must also implement application whitelisting, enforce least privilege, and keep systems updated to reduce the risk of fileless malware.

Real-Life Example

Imagine you want to prank your friend by rearranging the furniture in their house while they are away. You have two approaches. The first approach is to bring a crowbar, a screwdriver, a hammer, and a set of new nails from your own tool shed. You break into the house, put the new furniture layout together using your tools, and leave the crowbar and hammer under the couch. That is traditional malware, you brought in foreign objects that can be found later. The second approach, which is fileless malware, is much smarter. Instead of bringing your own tools, you get your friend’s spare key from under the mat (that is the initial access). You walk in and use only the items already in the house: a broom handle to lever the couch, a kitchen knife to cut the rug, and your friend’s own furniture sliders to move the table. After you finish, you put everything back exactly where it was. Your friend comes home and sees the furniture has moved but finds no hammer or crowbar. They might suspect something happened, but they cannot prove it because all the tools used belong to the house.

Now map this to computers. The attacker gets initial access through a phishing email, the spare key. Once inside, they do not download a malicious .exe file (their own crowbar). Instead, they run a PowerShell script that uses the operating system’s built-in capabilities to connect to a remote server, download additional instructions into memory, and execute commands. They might use WMI to create a process that reads registry values to find stored passwords. All these actions use programs that are already on the computer and are considered safe. The antivirus software, which is looking for foreign objects like a crowbar, sees only the legitimate tools in use. The attack runs in memory (the living room) and never touches the hard drive (the tool shed). Even if the user reboots, the malicious code is gone from memory, but the attacker may have set up a registry key that runs a script at startup, bringing the attack back into memory without ever writing a file.

This analogy also illustrates why traditional defenses fail. If you search the house for a crowbar, you will not find one because it was never there. Similarly, antivirus scans the hard drive for malicious files and finds nothing. Only by watching the behavior, noticing that the broom handle was used to pry the couch, or that the kitchen knife was used to cut the rug, can you detect the attack. In IT, this means monitoring command-line activity, network connections from PowerShell, and unusual process creation. The fileless malware is harder to identify because it acts like a legitimate user using legitimate tools.

Why This Term Matters

Fileless malware matters because it represents a fundamental shift in the threat landscape. Traditional malware relied on writing files to disk, which allowed signature-based antivirus to detect and block it. Fileless malware bypasses this entire detection model. For IT professionals, this means that the security tools and practices that worked five years ago are no longer sufficient. You cannot depend solely on antivirus to protect your systems. You must adopt a defense-in-depth strategy that includes behavior monitoring, application control, least privilege, and logging.

In practical terms, fileless malware is often the first stage of a larger attack. Attackers use it to gain a foothold, then move laterally to compromise other systems, escalate privileges, and exfiltrate data. Because fileless attacks are difficult to detect, they can remain active for weeks or months. For organizations, this means increased risk of data breaches, ransomware, and financial loss. For individuals studying IT certifications, understanding fileless malware is not optional; it is core knowledge for exams like Security+, CySA+, and CISSP. These exams test not only what fileless malware is, but also how to defend against it, detect it, and respond to it.

fileless malware is relevant across many domains. In cloud computing, attackers use fileless techniques to exploit misconfigured cloud resources without leaving forensic artifacts in storage. In enterprise networks, fileless malware can abuse trusted administrative tools to move from one system to another. In Microsoft 365, attacks may begin with a fileless phishing payload that compromises a user’s session. IT generalists and security specialists alike need to know how to configure defenses such as restricting PowerShell execution policies, enabling logging, and using endpoint detection and response (EDR) tools. Without this knowledge, you leave your organization vulnerable to attacks that most security tools cannot see.

How It Appears in Exam Questions

In certification exams, fileless malware appears primarily in scenario-based multiple-choice questions. A typical scenario might describe a company where users received a phishing email with an Excel attachment. One user opened the attachment and enabled macros. Later, the security team noticed that PowerShell started running on the user’s machine even though no one initiated it. The PowerShell process connected to an external IP address. Antivirus scans showed no malicious files. The question then asks: What type of attack is this? Options might include: A) Fileless malware, B) Worm, C) Ransomware, D) Logic bomb. The correct answer is A.

Another common question pattern involves detection. You might see a question like: “A security analyst notices that a built-in Windows tool is making outbound connections to an unknown IP address. The tool is digitally signed by Microsoft and no malicious files exist on the disk. Which tool is most likely being abused?” Options include PowerShell, command prompt, Notepad, or Registry Editor. The answer is PowerShell, and the question tests your knowledge of living-off-the-land techniques.

There are also troubleshooting-type questions, especially in the MD-102 exam. For example: “An organization deploys Windows Defender Antivirus, but some machines are still compromised. Logs show that WMI was used to execute scripts from memory. What should the administrator do to reduce the risk of fileless attacks?” The correct answer might be “Enable attack surface reduction rules” or “Restrict PowerShell script execution to only signed scripts.” These questions require you to know the specific configuration changes that mitigate fileless threats.

In more advanced exams like CySA+, you may be presented with a log excerpt. For example: Event ID 4104 (PowerShell script block logging) shows a script that decodes a base64 string and then runs a command to download an executable from a remote server. The question asks: “Which detection method would most reliably identify this activity?” The answer might be “Behavioral analysis using EDR” or “Monitoring for suspicious PowerShell script blocks.” These questions test your ability to read logs and connect the dots.

Finally, in SC-900, the question might be simpler: “Which type of malware operates entirely in memory and does not write any files to the hard drive?” This is a straightforward definition question. The key is to not confuse it with other memory-only threats like rootkits (which often modify the kernel) or bootkits (which infect the boot process). Fileless malware is specifically about using legitimate administrative tools to run malicious code in memory.

Practise Fileless malware Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a security analyst for a medium-sized company. One morning, you receive an alert from your endpoint detection system. The alert says that a user’s workstation initiated a PowerShell process that connected to an IP address known to be associated with command-and-control servers. You immediately investigate. When you check the user’s file system, you find no suspicious files. The antivirus logs show no detections. The user says they received an email earlier yesterday from what looked like their HR department, asking them to review an updated benefits document. The user opened the Word document that came with the email. They didn’t notice anything unusual, and the document appeared to be empty. They closed it and went back to work.

You examine the Word document using a sandbox. You find that the document contained a malicious macro. When the user opened the document and accepted the prompt to enable content (a common trick), the macro executed. But instead of downloading a malicious file to the disk, the macro used a built-in Windows utility called mshta.exe to run a script that loaded a PowerShell command directly into memory. That PowerShell command connected to the external IP address, downloaded additional instructions, and began scanning the user’s system for sensitive data. The attacker was now inside the network without ever dropping a file onto the hard drive.

You also check the registry and find that the attacker added a value in HKCU\Software\Microsoft\Windows\CurrentVersion\Run that contains a PowerShell command. This means that every time the user logs in, the fileless malware will launch again from memory without needing the original document. You disable the registry key, terminate the PowerShell process, and block the IP address at the firewall. You also escalate the incident to your incident response team because the attacker may have moved laterally to other systems using the same fileless technique. This scenario is a classic example of a fileless malware attack that begins with a phishing email and uses native tools to avoid detection.

Common Mistakes

Thinking fileless malware means no code runs at all

Fileless malware still executes code, but the code runs in memory and uses built-in system tools rather than being saved as a separate file on disk. It is not harmless; it is just harder to detect.

Remember that ‘fileless’ refers to the absence of a malicious file on disk, not the absence of malicious code execution. The code is there, but it is loaded into memory from scripts, registry values, or network streams.

Believing fileless malware only affects Windows systems

While Windows is the most common target due to tools like PowerShell and WMI, fileless techniques can also be used against Linux and macOS systems using bash scripts, Python, and other scripting environments.

Understand that any operating system with powerful scripting capabilities and built-in administrative tools is potentially vulnerable to fileless attacks. The concept is platform-agnostic.

Assuming fileless malware cannot persist across reboots

Fileless malware can achieve persistence by storing malicious scripts in the registry, WMI event subscriptions, or scheduled tasks that call scripts from the registry. These persistence mechanisms do not require traditional executable files.

Recognize that persistence can be fileless too. Attackers use registry keys, WMI filters, and other non-file locations to re-launch the malicious code after a reboot.

Confusing fileless malware with a rootkit

A rootkit typically modifies the operating system kernel or system files to hide its presence, often installing drivers or kernel modules. Fileless malware does not modify kernel components; it uses user-mode administrative tools and runs in memory without altering system files.

Think of rootkits as hiding malware by changing the OS itself, while fileless malware hides by not writing anything to disk at all. They are different techniques with different detection challenges.

Thinking traditional antivirus alone can stop fileless malware

Traditional antivirus relies on file signatures to detect known malicious files. Since fileless malware does not create a file on disk, antivirus has nothing to scan. Behavioral protection or EDR is needed.

Use a layered defense that includes behavioral monitoring, PowerShell logging, execution policies, and application whitelisting. Traditional AV is not sufficient.

Believing fileless malware always requires a phishing email to start

Phishing is a common vector, but fileless malware can also be delivered through drive-by downloads, malicious advertisements, USB devices, or even manually by an attacker who already has remote access.

Know that fileless malware can have many initial access vectors. The defining characteristic is not how it gets in, but how it executes and persists without writing files.

Exam Trap — Don't Get Fooled

{"trap":"If you see a scenario where no malicious files are found on disk, but suspicious PowerShell or WMI activity is detected, the exam will try to trick you into thinking the system is clean or that it's a false positive.","why_learners_choose_it":"Because antivirus shows no detections, and the built-in tools are legitimate, learners might assume the alert is a false positive or that the system is not infected. They may think that without a file, there is no threat."

,"how_to_avoid_it":"Always consider fileless malware when you see evidence of legitimate scripting tools running malicious commands. The absence of files on disk does not mean the system is clean. Look for network connections, unusual command-line arguments, and registry-based persistence as indicators."

Step-by-Step Breakdown

1

Initial Access

The attacker gains entry to the system, often through a phishing email, a malicious website, or a compromised USB drive. This triggers the first execution of code, typically a macro or script.

2

Script Execution in Memory

The macro or script runs without saving to disk. It uses a legitimate system tool like Microsoft Word macro or Windows Script Host to execute code directly in the computer’s RAM.

3

Living off the Land

The script invokes a built-in administrative tool, most commonly PowerShell. This tool is digitally signed and allowed by security software, so it runs without raising an alert.

4

Staging and C2 Communication

PowerShell connects to a remote command-and-control (C2) server over HTTP or HTTPS to download additional instructions or payloads. These payloads remain in memory and are not saved as files.

5

Adversary Actions

Using the downloaded scripts, the attacker performs actions such as credential theft via Mimikatz loaded in memory, network reconnaissance, lateral movement, or data exfiltration.

6

Memory-Based Persistence

To survive a reboot, the attacker writes a malicious PowerShell command into a registry run key, or creates a WMI event subscription that triggers the script at startup. The script itself is not a file, but a command stored in the registry.

7

Detection Evasion

Because no files are written to disk and the tools used are legitimate, traditional antivirus does not detect the attack. The attacker covers their tracks by deleting event logs or using encrypted communication.

8

Cleanup or Continuous Operation

The attacker may clean up by removing registry keys or WMI subscriptions after the objective is achieved, leaving no forensic evidence on disk. Alternatively, they maintain persistent access using fileless methods.

Practical Mini-Lesson

To effectively deal with fileless malware in a real-world IT environment, professionals need to move beyond the mindset of purely file-based detection. The first practical step is to enable comprehensive logging. On Windows systems, PowerShell script block logging (Event ID 4104) should be enabled through Group Policy. This captures every PowerShell command executed, including those that are passed as inline strings. Similarly, enable audit process creation logging (Event ID 4688) to capture command-line arguments. These logs are essential for detecting suspicious usage of legitimate tools. Without them, fileless attacks are invisible.

Next, restrict the execution of scripting tools. Set PowerShell execution policy to “Restricted” or “AllSigned” where possible. For users who do not need PowerShell, disable it via AppLocker or Windows Defender Application Control (WDAC). Attack surface reduction (ASR) rules can block specific behaviors, such as blocking Office macros from creating child processes, blocking PowerShell from running from the internet, or blocking JavaScript or VBScript from executing downloaded content. These rules are available in Microsoft Defender for Endpoint and can be configured via Intune or Group Policy.

Network-level controls are also vital. Since fileless malware relies on C2 communication, egress filtering is critical. Only allow outbound traffic to known, approved destinations. Use a proxy or DNS filtering solution to block connections to malicious domains. Implement application whitelisting so that only authorized scripts and executables can run. This limits the ability of attackers to abuse tools like Mshta or Regsvr32.

For incident response, memory analysis is key. If a system is suspected of having fileless malware, do not immediately shut it down. Instead, capture a memory dump using tools like DumpIt or FTK Imager. Analyze the dump with Volatility to identify suspicious processes, network connections, and injected code. Look for processes that spawned from Office applications or have unusual command-line arguments. For example, a Word process spawning PowerShell is a strong indicator of fileless malware. Always check for encoded commands, as attackers often use base64 encoding to hide their scripts.

What can go wrong? The most common failure is assuming that fileless malware is not a threat because no files are detected. Organizations often rely solely on antivirus and do not invest in behavioral monitoring or memory forensics. Another mistake is not restricting administrative tools, leaving PowerShell and WMI wide open for attackers. Regular patch management is also important, as many initial access vectors exploit unpatched software. Fileless malware is a sophisticated threat, but with proper logging, restrictions, and monitoring, it can be detected and neutralized.

Memory Tip

Think “No file, no signature, but still malicious.” Remember the acronym LAW: Legitimate tools, Anti-forensic (no file), Writes to memory only.

Learn This Topic Fully

This glossary page explains what Fileless malware means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Can fileless malware be detected by antivirus?

Traditional signature-based antivirus cannot detect fileless malware because it does not write files to disk. Some next-generation antivirus solutions use behavioral analysis and machine learning to detect fileless malware by monitoring for suspicious behavior like PowerShell making outbound connections.

Is fileless malware only a Windows problem?

No, fileless malware can also affect Linux and macOS systems by abusing built-in scripting tools like bash, Python, or AppleScript. However, Windows is the most common target because of the prevalence of PowerShell and WMI.

How does fileless malware persist after a reboot?

Fileless malware can persist by storing malicious scripts in the Windows registry, using WMI event subscriptions, or creating scheduled tasks that run commands from the registry or from network locations without writing files to disk.

What is a common initial access vector for fileless malware?

Phishing emails are the most common vector. An email may contain a Word document with a malicious macro that, when enabled, downloads and executes a PowerShell script in memory without saving any file.

How can organizations defend against fileless malware?

Defenses include restricting PowerShell execution policy, enabling script block logging, using application whitelisting, implementing attack surface reduction rules, and deploying endpoint detection and response (EDR) solutions that monitor behavior.

What is the difference between fileless malware and a macro virus?

A macro virus writes itself to a template or document file and infects other documents. Fileless malware uses macros only as a delivery mechanism but does not write a virus file; the malicious code runs in memory using other tools like PowerShell.

Is fileless malware more dangerous than traditional malware?

Fileless malware is often considered more dangerous because it is harder to detect and can evade traditional antivirus. It also tends to have a smaller footprint, making forensic analysis more challenging.

Can fileless malware be removed by resetting the PC?

Yes, a full OS reinstall will remove fileless malware because it relies on memory and registry entries that are wiped during a clean install. However, if the malware persists in firmware or backup images, it may survive.