Threat Actors may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository. Shared memory directories on Linux systems (/dev/shm, /run/shm, /var/run, and /var/lock) and volatile directories on Network Devices (/tmp and /volatile) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk..
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.