1-SEC
Threat Defense7 min read

Fileless Malware and LOLBins: Detecting Attacks That Leave No Files Behind

Living Off the Land attacks use legitimate system tools to evade antivirus. Learn how 1-SEC detects 40+ LOLBins, memory injection, and fileless malware techniques that traditional AV completely misses.

1S

Threat Intelligence Team

fileless malwareLOLBinsLiving Off the Landendpoint securityopen source antivirusmemory injectionMITRE ATT&CK

Why Traditional AV Can't See Fileless Attacks

Traditional antivirus watches for malicious files. It scans downloads, checks executables against signature databases, and quarantines known-bad binaries. This model worked when malware was a file you could find on disk.

Fileless malware doesn't write to disk. It executes entirely in memory using legitimate system processes. PowerShell, WMI, certutil, mshta, regsvr32 — these are built-in Windows tools that every sysadmin uses daily. When an attacker uses PowerShell to download and execute a payload in memory, your antivirus sees PowerShell doing its job. Nothing suspicious from a file-scanning perspective.

LOLBin Detection: Watching What, Not Who

Living Off the Land Binaries (LOLBins) are legitimate executables that can be abused for malicious purposes. 1-SEC's Runtime Watcher monitors 40+ LOLBins with MITRE ATT&CK IDs, watching not just for their execution but for the context of their execution.

Certutil downloading a file? Suspicious. Mshta executing an HTA from a remote URL? Almost certainly malicious. PowerShell with a base64-encoded command and -ExecutionPolicy Bypass? That's about as red as flags get. The detection is in the combination of the binary, its arguments, and its parent process — not just the binary itself.

Memory Injection Detection

Process hollowing, DLL injection, and reflective DLL loading are techniques that inject malicious code into legitimate processes. 1-SEC watches for the API call patterns that characterize these techniques — VirtualAllocEx + WriteProcessMemory + CreateRemoteThread is the classic injection chain.

Persistence Mechanism Detection

Fileless doesn't mean ephemeral. Attackers establish persistence through scheduled tasks, WMI event subscriptions, registry run keys, and systemd services. The Runtime Watcher monitors all common persistence locations and flags new entries that weren't created by known-good processes.

Defense in Depth Against the Invisible

Fileless attacks are invisible to file-based scanners. But they're not invisible to behavioral monitoring. They still make network connections, access files, and call system APIs. 1-SEC correlates these behavioral signals across modules — a LOLBin execution that triggers a network connection to a known C2 IP that coincides with a persistence mechanism being installed is a complete attack chain, detected and reported as a single correlated incident.

Continue Reading

Threat Intelligence

Threat Intelligence and Protection Insights: Week of February 16, 2026

Weekly cybersecurity threat analysis covering SSRF exploits, IoT botnet activity, ransomware trends, and how 1-SEC's open source security platform detects and stops these attack chains.

Open Source

Why Open Source Security Tools Are Winning in 2026

Commercial antivirus and closed-source firewalls are losing ground to open source cybersecurity solutions. Here's why transparency, community auditing, and rapid patching make open source the smarter bet for real-world protection.

Threat Defense

Ransomware Detection in 2026: What Open Source Tools Actually Catch

Modern ransomware combines encryption, data exfiltration, wiper payloads, and supply chain compromise. Here's how open source detection tools like 1-SEC identify and stop these compound attacks.

← Browse all 84 articles

Try 1-SEC Today

Open source, single binary, 16 security modules. Download and run in under 60 seconds.

View on GitHubRead the Docs