Detection and neutralization of a fileless RAM attack with UnderDefense

The UnderDefense team detected a highly sophisticated fileless attack that operated entirely in RAM, bypassing traditional security systems. Through in-depth process analysis and memory telemetry, specialists identified malicious code hidden within an ASP.NET application, neutralizing the threat before it could cause any damage to the client’s infrastructure. This case highlights the critical importance of visibility into process memory and real-time monitoring of application activity.

Background

In November, the UnderDefense team received an alert about suspicious activity on one of a client’s production servers. The EDR system detected that the IIS process (w3wp.exe) was repeatedly loading a .NET file (webengine4.dll), which represented an unusual behavior pattern. This activity did not resemble a typical system error — the signals were “vague” and difficult to interpret without context.
The main challenges were:● The attack left no traces on disk,● All activity occurred entirely in RAM,● Traditional forensic tools could not effectively detect it,● The code executed without being written to disk, complicating analysis.
Such attacks are known as fileless attacks because the malicious code does not reside on disk and executes only in process memory. These techniques are particularly difficult to detect and often bypass conventional defense mechanisms.

How the breach occurred

The attack leveraged the ASP.NET ViewState mechanism — a built-in function in ASP.NET applications used to persist state between HTTP requests. Although ViewState is protected with machine keys, many environments use the same publicly known keys, creating a potential vulnerability.
The attackers exploited these public machine keys to:● Forge ViewState objects,● Inject and execute their own .NET code without writing to disk,● Hide within the IIS process memory, mimicking normal system behavior.

Key detection challenges

The client environment faced several obstacles:

EDR alerts were ambiguous — high load in .NET modules appeared as normal system behavior,

There were no disk traces of the attack (no files, no webshells),

Traditional logging and analysis tools did not capture this activity,

RAM was not monitored at the application process level.

The UnderDefense specialists acted in several critical steps:

Deep process and memory telemetry analysis
Focused on tracking memory behavior and application process activity, even if it appeared normal at the server level.
System component integrity verification
Confirmed that the webengine4.dll module was authentic and intact, directing the investigation toward injected code in RAM.
Support and context through global behavioral analysis
Using tools and behavioral insights visible across other systems (LogScale and dedicated queries), they were able to confirm subtle, malicious changes in memory.
Attack extraction and identification
Applied dedicated detection rules and queries to identify the presence of malicious .NET components within process memory.

Results and client benefits

The attack was detected and neutralized before escaping RAM and before any privilege escalation could occur.

Weak points in ViewState configuration that enabled the attack were identified and remediated.

ASP.NET MachineKey rotation was implemented, immediately preventing reuse of this technique.

Advanced memory monitoring rules were deployed, increasing visibility and reducing the risk of future attacks.

UnderDefense

UnderDefense is a global cybersecurity company that helps organizations build resilient defenses against modern digital threats. Combining expert knowledge, innovative technologies, and in-depth risk analysis, UnderDefense offers a full range of services – from preventive measures to 24/7 monitoring and incident response.

Learn more

Schedule a demo and learn more

To schedule a personalized demonstration, partner training, or pilot project, please contact the Business Development Manager at Oberig IT – Krystian Hofman.

Schedule a meeting