You run a full Windows Defender scan. Clean. You check Task Manager. Nothing unusual. But your browser passwords just got exfiltrated, your banking session is being mirrored, and your PC is part of a botnet — all without a single malicious file ever touching your hard drive.

Welcome to fileless malware — the stealthiest, most dangerous category of cyberattack hitting Windows 11 users in 2026. According to recent threat intelligence, fileless attacks now account for over 40% of all enterprise breaches, and they’re increasingly targeting home users too.

This guide will show you exactly how fileless malware works, how to detect it using built-in Windows tools AND third-party scanners, how to surgically remove it, and — most importantly — how to prevent it from ever getting back in.

1. What Is Fileless Malware? (And Why Windows 11 Is a Prime Target)

Traditional malware works like this: an attacker delivers a malicious .exe, .dll, or script file to your computer. It lands on disk. Your antivirus scans it, recognises a known signature, and blocks it. Simple.

Fileless malware breaks this model entirely. Instead of writing anything to disk, it hijacks legitimate Windows processes and tools that are already on your computer — things like PowerShell, WMI (Windows Management Instrumentation), the Windows Registry, and even Microsoft Office macros — and runs entirely in RAM.

⚠ Critical Concept Because fileless malware never writes to disk, signature-based antivirus tools (the kind that check files against a database of known bad code) are almost completely blind to it. The malicious code lives only in your computer’s memory and disappears when you reboot — but not before doing serious damage.

Why Windows 11 Specifically?

Windows 11 introduced several powerful built-in scripting and automation tools — PowerShell 7, Windows Subsystem for Linux, improved WMI, and deeper COM object access. These are legitimate, useful features. But they also give attackers more native “living off the land” (LotL) tools to abuse.

  • PowerShell can download and execute code directly from the internet without writing a file
  • WMI allows remote execution and persistence across reboots via the WMI repository
  • The Windows Registry can store and execute encoded payloads
  • Scheduled Tasks can trigger memory injection on login
  • mshta.exe, regsvr32.exe, certutil.exe can all be weaponised to pull and run malicious code
“Fileless attacks represent the evolution of adversary tradecraft. They leverage the very tools defenders trust — which is what makes them so effective.” — GuardedWorker Threat Research, May 2026

2. How Fileless Malware Works: The 5 Most Common Attack Chains in 2026

Understanding the attack chain is essential for detection. Here are the five most prevalent fileless attack methods targeting Windows 11 users right now:

Attack Chain #1: Malicious PowerShell One-Liners

This is the #1 delivery vector. The user clicks a phishing link or opens a booby-trapped Office document. A macro silently runs a PowerShell command like this:

# What a fileless PowerShell dropper looks like:
powershell.exe -WindowStyle Hidden -EncodedCommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAg...
# The base64 string decodes to a full payload that runs in RAM
# and downloads the next-stage backdoor — no file ever touches disk
🔍 What this means for you PowerShell with -EncodedCommand or -WindowStyle Hidden flags in unexpected contexts is a massive red flag. Legitimate system admin tasks rarely need to hide their window.

Attack Chain #2: WMI Persistence (The Most Dangerous)

WMI subscriptions allow attackers to execute code every time a specific event occurs — like a user login, a new process starting, or a specific time. The payload is stored in the WMI repository, not the file system, making it invisible to directory scans.

# An attacker registers a persistent WMI event subscription:
wmic /namespace:\\root\subscription path __EventFilter CREATE ...
# This fires malicious PowerShell on every system boot
# and survives reboots — stored only in the WMI repo

Attack Chain #3: Registry-Based Payload Storage

Attackers store base64-encoded shellcode directly in Windows Registry keys (often under HKCU\Software or HKLM\Software\Microsoft\Windows\CurrentVersion\Run) and use a small stub loader — often a LOLBin like mshta.exe or regsvr32.exe — to decode and execute it from memory.

Attack Chain #4: Process Injection (Hollowing & Reflective DLL)

The attacker spawns a legitimate Windows process (e.g., explorer.exe, svchost.exe) in a suspended state, replaces its memory with malicious code, and resumes it. From the outside, you see a legitimate process name. Inside, it’s running malware.

Attack Chain #5: Living Off the Land Binaries (LOLBins)

Windows ships with dozens of binaries that can be abused to download and execute code: certutil.exe, bitsadmin.exe, msiexec.exe, installutil.exe, regasm.exe. Because these are signed Microsoft binaries, they often bypass application whitelisting.

3. Warning Signs You Have Fileless Malware Right Now

Since fileless malware doesn’t show up on disk scans, you need to look for behavioural indicators. Here are the most common signs:

  • PowerShell windows briefly flash on screen and disappear — especially around login
  • Windows Defender reports suspicious activity in powershell.exe or wscript.exe
  • Unusually high CPU or memory usage from svchost.exe or explorer.exe
  • Unexplained outbound network connections to unknown IPs (check with Netstat)
  • Browser saved passwords or autofill data suddenly gone or changed
  • New scheduled tasks you didn’t create (check Task Scheduler)
  • Unknown WMI event subscriptions present (covered in detection steps below)
  • Registry run keys with long base64 or obfuscated strings
  • Your antivirus suddenly disabled or unable to update
  • Accounts locked out, password change emails you didn’t trigger
🚨 Act Immediately If You see PowerShell spawned by Office applications (Word, Excel), by browser processes, or by mshta.exe. This is almost always malicious. Disconnect from the internet and proceed to the detection steps below.

4. How to Detect Fileless Malware Using Free Windows 11 Tools

Before spending money, run through these free detection methods. They use tools already installed on your Windows 11 system.

Method 1: Enable and Review PowerShell Script Block Logging

By default, Windows 11 does NOT log what PowerShell executes. You need to turn this on first. This will reveal any obfuscated or suspicious scripts that run — even if they leave no file on disk.

1
Enable PowerShell Script Block Logging via Group Policy

Press Win + R, type gpedit.msc, and hit Enter. Navigate to:

Computer Configuration → Administrative Templates
→ Windows Components → Windows PowerShell
→ Turn on PowerShell Script Block Logging → Enabled

Also enable Module Logging and Transcription on the same page. Then check logs at:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | 
Where-Object { $_.Id -eq 4104 } | 
Select-Object -First 20 | Format-List

Look for entries with ScriptBlockText containing base64 strings, DownloadString, IEX, Invoke-Expression, or Invoke-WebRequest.

2
Check for Suspicious WMI Subscriptions

Open PowerShell as Administrator and run:

# Check for persistent WMI event subscriptions
Get-WMIObject -Namespace root\subscription -Class __EventFilter
Get-WMIObject -Namespace root\subscription -Class __EventConsumer
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding

On a clean Windows 11 machine, these should return nothing or very minimal results. Any CommandLineEventConsumer or ActiveScriptEventConsumer entries you don’t recognise are highly suspicious.

3
Audit Suspicious Registry Run Keys
# Check all four common persistence locations
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

Flag any entry that contains: long base64 strings, powershell, mshta, wscript, cscript, regsvr32, or anything pointing to a %TEMP% or %APPDATA% path.

4
Check for Suspicious Scheduled Tasks
# List all scheduled tasks and their actions
Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } |
Get-ScheduledTaskInfo | Select-Object TaskName, LastRunTime | Sort-Object LastRunTime -Descending

# Then inspect suspicious task actions:
(Get-ScheduledTask -TaskName "TASK_NAME_HERE").Actions
5
Use Sysinternals Autoruns (Free — Highly Recommended)

Download Microsoft Sysinternals Autoruns (free, from Microsoft). Run it as Administrator and check the Everything tab. Right-click any suspicious entry and select “Check VirusTotal” to scan it instantly. The WMI tab is especially important for fileless persistence.

6
Detect Process Injection with Process Hacker / System Informer

Download System Informer (successor to Process Hacker, free and open source). Look for:

  • Processes with suspicious parent-child relationships (e.g., Word spawning PowerShell)
  • Processes with memory regions marked RWX (read-write-execute) — a strong injection indicator
  • Legitimate process names with unusual network connections
  • DLLs loaded from unusual paths inside known processes

5. Best Paid Tools to Detect Fileless Malware in 2026

Free tools are great for forensics, but if you want real-time, always-on fileless malware protection, you need a modern next-gen antivirus (NGAV) with memory scanning and behavioural detection. Here are the top picks, all independently tested by GuardedWorker:

🥇 Best Overall

Bitdefender Total Security

★★★★★ 4.9/5

Bitdefender’s Advanced Threat Defense (ATD) module uses process behaviour monitoring and memory scanning that’s specifically tuned for fileless attacks. Consistently #1 in AV-TEST for fileless detection.

From $39.99/year (3 devices)

Read Full Review Get Deal →
🥈 Runner-Up

Malwarebytes Premium

★★★★★ 4.8/5

Excellent exploit and memory-injection protection. The Anti-Exploit layer specifically targets browser and Office-based fileless dropper attacks. Lightweight and fast on Windows 11.

From $44.99/year (1 device)

See Comparison Get Deal →

Norton 360 Deluxe

★★★★☆ 4.7/5

Strong SONAR behavioural detection catches PowerShell-based fileless attacks in real-time. Includes a built-in VPN and dark web monitoring. Great all-rounder for families.

From $49.99/year (5 devices)

Bitdefender vs Norton Get Deal →

CrowdStrike Falcon Go

★★★★★ 4.9/5

Enterprise-grade EDR now available to consumers. CrowdStrike is the gold standard for LotL and fileless detection. If you’ve been targeted by sophisticated attackers, this is the tool.

From $59.99/year (3 devices)

Get Deal →

Kaspersky Plus

★★★★☆ 4.6/5

Kaspersky’s System Watcher component and hypervisor-protected memory scanning provide strong fileless detection. Top scores from independent labs specifically for memory-based threats.

From $42.99/year (3 devices)

Get Deal →

Microsoft Defender for Endpoint

★★★★☆ 4.3/5

Windows 11’s built-in solution has improved significantly. Enable Attack Surface Reduction (ASR) rules and Tamper Protection for much better fileless coverage. Free — but you must configure it.

Free with Windows 11

See Setup Guide

Tool Comparison: Fileless Malware Detection Capabilities

Product Memory Scanning PowerShell Protection WMI Monitoring Process Injection Detection LOLBin Blocking Price/yr
Bitdefender Total Security✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes$39.99
Malwarebytes Premium✓ Yes✓ Yes△ Partial✓ Yes✓ Yes$44.99
Norton 360✓ Yes✓ Yes△ Partial✓ Yes△ Partial$49.99
CrowdStrike Falcon Go✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes$59.99
Kaspersky Plus✓ Yes✓ Yes✓ Yes✓ Yes△ Partial$42.99
Windows Defender (default)△ Limited△ Limited✗ No△ Limited△ LimitedFree
💡 GuardedWorker Pick For most Windows 11 home users, Bitdefender Total Security offers the best combination of fileless detection, performance, and price. For users who’ve experienced a targeted attack or handle sensitive financial/work data, step up to CrowdStrike Falcon Go.

More From GuardedWorker

Antivirus Review Best Antivirus for Windows 11 in 2026 Comparison Bitdefender vs Norton 2026: Which Is Actually Better? AI Security AI Phishing Protection Tools 2026 Threat Intel How Agentic AI Is Changing the Malware Landscape

6. Step-by-Step Fileless Malware Removal Guide for Windows 11

🚨 Before You Start If you suspect an active compromise, disconnect your PC from the internet immediately (disable Wi-Fi and unplug ethernet). This cuts off the attacker’s command-and-control connection and prevents further data exfiltration. Then proceed through the steps below.

Phase 1: Triage and Isolate

1
Document Current Network Connections

Before disconnecting, run this in an elevated PowerShell to capture the evidence:

# Log all active network connections to a file
netstat -ano | Out-File C:\forensics_netstat.txt
Get-Process | Select-Object Id, ProcessName, Path | Out-File C:\forensics_procs.txt
# Now disconnect from internet
2
Remove Malicious WMI Subscriptions

If you found suspicious WMI entries in your detection phase, remove them. Replace the names in quotes with your actual suspicious entry names.

# Remove a malicious WMI EventFilter
Get-WMIObject -Namespace root\subscription -Class __EventFilter | 
Where-Object { $_.Name -eq "SUSPICIOUS_NAME" } | Remove-WMIObject

# Remove the corresponding Consumer and Binding too
Get-WMIObject -Namespace root\subscription -Class __EventConsumer |
Where-Object { $_.Name -eq "SUSPICIOUS_NAME" } | Remove-WMIObject

Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding |
Remove-WMIObject
3
Delete Malicious Registry Run Keys
# Remove a suspicious registry run key (replace "KEYNAME" with actual name)
Remove-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "KEYNAME"

# Verify it's gone
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
4
Remove Malicious Scheduled Tasks
# Disable then delete a suspicious scheduled task
Disable-ScheduledTask -TaskName "SUSPICIOUS_TASK_NAME"
Unregister-ScheduledTask -TaskName "SUSPICIOUS_TASK_NAME" -Confirm:$false
5
Kill Injected Processes (Use System Informer)

In System Informer, right-click on any process showing suspicious injected code (highlighted in red or with RWX memory regions). Select Terminate. For processes that restart automatically (indicating a persistence mechanism), trace the restart source — usually a scheduled task or registry key you’ve already identified above.

Phase 2: Deep Scan and Clean

6
Run an Offline Scan with Windows Defender

Windows Defender Offline Scan runs before Windows loads, which means it can catch persistence mechanisms that hide during normal boot:

# Schedule an offline scan (will restart PC into scan mode)
Start-MpScan -ScanType BootSectorScan

# Or via Settings:
# Windows Security → Virus & Threat Protection
# → Scan Options → Microsoft Defender Antivirus Offline Scan
7
Run Malwarebytes Anti-Malware Free Scan

Download the free version of Malwarebytes as a second-opinion scanner. It’s complementary to your main AV. Run a Full Scan. Malwarebytes is exceptionally good at detecting rootkits and memory-resident threats that other tools miss.

8
Reset PowerShell Execution Policy and Audit Profiles
# Reset execution policy to default restricted
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine -Force
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope CurrentUser -Force

# Clear PowerShell history (may contain executed payloads)
Remove-Item (Get-PSReadLineOption).HistorySavePath -Force

Phase 3: Post-Compromise Recovery

9
Change ALL Passwords (From a Clean Device)

Assume every password stored in your browsers, password manager (if it was on the compromised PC), and email client has been exfiltrated. From a different, clean device:

  • Change your email account password first
  • Enable 2FA on all critical accounts (banking, email, work, cloud storage)
  • Notify your bank if you believe financial credentials were exposed
  • Use a new, dedicated password manager going forward — see our Best Password Manager 2026 guide
10
Consider a Full Windows Reset as Nuclear Option

If you cannot be certain you’ve found all persistence mechanisms, the safest option is a fresh Windows 11 install. Use Settings → System → Recovery → Reset this PC → Remove Everything and choose the “Cloud download” option to get a fresh Windows image. Back up your data first — but scan the backup before restoring it.

7. How to Prevent Fileless Malware: Hardening Windows 11

The best removal is prevention. Here’s how to make Windows 11 dramatically harder to compromise with fileless techniques — most of it is free.

Enable Attack Surface Reduction (ASR) Rules in Defender

ASR rules are Microsoft’s built-in set of behavioural controls specifically designed to block LotL and fileless attack techniques. They’re disabled by default. Enable them in PowerShell (admin):

# Enable the most important ASR rules for fileless attack prevention

# Block Office apps from spawning child processes (stops most macro droppers)
Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled

# Block execution of potentially obfuscated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions Enabled

# Block process creations originating from PSExec and WMI commands
Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled

# Block credential stealing from lsass.exe
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0 -AttackSurfaceReductionRules_Actions Enabled

Constrained Language Mode for PowerShell

Constrained Language Mode severely limits what PowerShell can do, blocking most fileless attack techniques while still allowing legitimate administrative use:

# Enable Constrained Language Mode via registry
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name "__PSLockdownPolicy" -Value "4" -PropertyType String -Force

Quick Prevention Checklist

  • Enable ASR rules in Windows Defender (covered above)
  • Install a modern NGAV with memory scanning (Bitdefender, CrowdStrike)
  • Disable PowerShell for standard users via Group Policy
  • Enable PowerShell Script Block Logging and module logging
  • Keep Windows 11 and all software fully updated (patch Tuesday matters)
  • Never open Office macro-enabled documents unless you expected them
  • Use a password manager and enable 2FA on all accounts
  • Use a VPN on public Wi-Fi to prevent initial compromise vectors
  • Enable Windows Defender Tamper Protection (Settings → Windows Security)
  • Disable WMIC for standard users if not needed
  • Audit and restrict scheduled task creation permissions
  • Use Microsoft’s WDAC (Windows Defender Application Control) for advanced environments
🔒 Related: Stop the Infection Before It Starts Many fileless malware infections begin with phishing links clicked on public Wi-Fi or unsecured networks. A VPN adds an encrypted layer that prevents network-level compromise. See our picks in the Best VPN for Remote Work 2026 guide — or read the full What Is a VPN? guide if you’re new to VPNs.

8. FAQ: Fileless Malware on Windows 11

Will rebooting my PC remove fileless malware?
Sometimes — but usually not. Fileless malware that runs purely in RAM will be cleared on reboot. However, most sophisticated fileless malware uses persistence mechanisms (WMI subscriptions, Registry run keys, scheduled tasks) that survive reboots. Rebooting while having the right NGAV active can help detect the re-launch attempt, but it’s not a cure. Follow the removal steps in this guide.
Can Windows Defender detect fileless malware?
Windows Defender (Microsoft Defender Antivirus) has basic memory scanning and AMSI (Antimalware Scan Interface) integration with PowerShell, which catches some fileless threats. However, in independent tests, it significantly underperforms dedicated NGAV solutions like Bitdefender or CrowdStrike for fileless detection. Enabling ASR rules (detailed above) dramatically improves Defender’s coverage — but it requires manual configuration that most users never do.
How do I know if PowerShell was abused on my PC?
Enable Script Block Logging (Step 1 in the detection section) and review Event ID 4104 in the PowerShell Operational log. Look for commands containing IEX, Invoke-Expression, DownloadString, EncodedCommand, FromBase64String, or long base64 strings. Also check if powershell.exe was spawned by Office apps, browsers, or mshta.exe — that’s almost always malicious.
Is fileless malware on Windows 11 different from Windows 10?
The attack techniques are largely the same, but Windows 11 introduced additional legitimate scripting capabilities (deeper PowerShell 7 integration, improved WMI, Windows Subsystem for Linux) that expand the attack surface. On the defence side, Windows 11 has better Virtualization-Based Security (VBS) and Credential Guard by default on compatible hardware, which helps protect against some credential-theft variants of fileless attacks.
Can a VPN prevent fileless malware?
A VPN doesn’t prevent fileless malware directly, but it can prevent some initial delivery vectors — particularly on public Wi-Fi where attackers can perform man-in-the-middle attacks to inject malicious scripts. More relevantly, some fileless malware relies on outbound C2 (command-and-control) communication; a VPN doesn’t block this, but DNS-filtering VPNs (like NordVPN with Threat Protection or ExpressVPN with Threat Manager) can block known malicious domains. See our NordVPN Review or ExpressVPN Review for details.
What’s the fastest way to get protected right now?
Three steps you can do in the next 30 minutes: (1) Enable ASR rules in Windows Defender using the PowerShell commands in Section 7. (2) Enable PowerShell Script Block Logging via gpedit.msc. (3) Install Bitdefender Total Security or Malwarebytes Premium for real-time memory scanning. These three steps together stop the vast majority of fileless attacks targeting Windows 11 home users.
GW
GuardedWorker Editorial Team
Cybersecurity Research & Reviews
The GuardedWorker editorial team independently tests and reviews cybersecurity tools, covering antivirus, VPNs, password managers, and emerging threats. All product recommendations are based on hands-on evaluation. Learn about our process →
🛡 Stay Protected — Start Today

Don’t wait for an attack to take fileless malware seriously. Enable ASR rules now, consider upgrading to a memory-scanning NGAV, and stay informed with GuardedWorker’s ongoing threat coverage.

Find the Best Antivirus → Read More Guides

You Might Also Like

Antivirus Best Antivirus for Windows 11 in 2026 — Full Comparison Mobile Security Best Antivirus for Android in 2026 Password Security Best Password Manager 2026 — Tested & Ranked True Story I Got Hacked Using Public WiFi — Here’s What Happened Crypto Security Protecting Crypto Wallets from Hackers in 2026 VPN Best VPN for Remote Working in 2026