SY0-701 Study Notes

Case: Fileless Malware at Sterling & Associates — The Law Firm That Lost Its Secrets

6 min read

The Scenario

Sterling & Associates is a 200-attorney law firm specializing in intellectual property litigation, managing cases worth $3B+ in contested assets. On January 22, 2026, at 8:47 AM, the IT Security Lead, James Chen, noticed anomalous PowerShell processes across multiple workstations in his automated endpoint-security dashboard. Processes like powershell.exe were spawning unusual child processes and making registry modifications at 2:14 AM—hours when no legitimate users were active. He immediately escalated to the Chief Information Security Officer.

The investigation revealed that 300 of the firm’s 340 workstations had been compromised by fileless-malware—malicious code executed entirely in memory with no binary files written to disk. Traditional antivirus software reported zero infections on every single infected machine. The malware used wmi-subscriptions for persistence: a scheduled WMI event trigger would execute a PowerShell payload automatically every time a user logged in, re-infecting the system memory even if IT rebooted the machines.

The attack vector was a sophisticated spear-phishing campaign. On January 18, 2026, at 11:33 AM, 147 lawyers received an email purporting to be from the State Bar Association with the subject “2026 Ethics Update & Mandatory Compliance Form.” The email contained a PDF file titled “Professional_Responsibility_2026.pdf” (6.2 MB). When opened in Adobe Reader, the PDF exploited a known vulnerability to execute a PowerShell script. The script, disguised as a Windows system diagnostic check, downloaded and executed a second-stage payload that established rat-remote-access-trojan capabilities and began exfiltrating email credentials via HTTPS to an attacker-controlled server.

By the time the breach was discovered on January 22, the attackers had already harvested email credentials for 287 users, including the firm’s managing partners, finance director, and all senior litigation attorneys. The attackers had accessed attorney-client privileged communications, draft legal strategies, settlement negotiations, and confidential business information worth millions. The crime fit the profile of corporate espionage targeting high-value litigation cases.

The initial remediation attempt was catastrophic. IT assumed traditional malware removal would work and tried to clean systems using standard antivirus tools. This failed because the malware left no files on disk to remove. The firm had to engage a digital-forensics firm and incident-response specialists to develop custom detection tools. Over the course of a week, they manually examined the WMI repository on each machine, identified the malicious subscriptions (references to powershell.exe scripts stored in WMI permanent storage), and removed them. Complete remediation required rebuilding 300 workstations from clean backup images and implementing edr-xdr software on every endpoint.

What Went Right

  • Behavioral monitoring detected abnormal PowerShell activity: The firm’s endpoint security tool was monitoring process execution patterns, not just file hashes. This behavioral approach flagged the 2:14 AM PowerShell executions immediately, enabling rapid detection despite the malware’s fileless nature.

  • Incident response team engaged forensic specialists quickly: Rather than trying to fix the problem with in-house IT knowledge, management immediately engaged external digital-forensics and incident response specialists who understood fileless-malware techniques. This cut the investigation time from weeks to days.

  • Comprehensive forensic analysis preserved evidence: The forensic team created forensically sound images of all infected systems before remediation, enabling potential law enforcement investigation and attribution analysis later.

  • EDR deployment replaced legacy antivirus: Post-incident, the firm deployed Endpoint Detection and Response tools on every workstation. These tools monitor behavior—process trees, registry modifications, network connections, PowerShell script execution—rather than relying on static file signatures that fileless-malware doesn’t generate.

What Could Go Wrong

  • Traditional antivirus is completely ineffective against fileless-malware: File-signature-based detection cannot catch code that never touches disk. The firm’s $400K annual antivirus investment provided zero protection. Many organizations still rely solely on traditional AV, unaware that fileless-malware, worm, and trojan attacks often use memory-based execution.

  • PowerShell has excessive default permissions for sensitive operations: By default, PowerShell scripts can query WMI, modify the registry, access the network, and create scheduled tasks without elevation. application-allowlisting policies that restrict PowerShell to approved scripts, or constrained-language-mode that prevents dynamic code execution, could have blocked the initial payload execution.

  • WMI subscriptions are invisible to non-specialized tools: Standard Windows system administration tools don’t display WMI event subscriptions prominently. The malware hid persistence in a location that IT staff wouldn’t discover through routine patching and reboots. A network-monitoring system watching for unsigned PowerShell execution or registry changes to HKLM\SOFTWARE\Classes\CLSID\ would have detected the persistence mechanism.

  • Email security filter had no edr-xdr context: The PDF attachment passed through the email security gateway with no behavioral execution testing. A sandbox-based gateway that detonates PDFs in an isolated environment would have triggered the exploit and blocked the delivery.

  • No security-awareness-training on spear-phishing indicators: The email was convincingly crafted as an official Bar Association communication. Had the firm conducted monthly spear-phishing simulations and training, staff might have verified the sender domain (which was state-bar.fake-domain.com, not the official .org) before opening the attachment.

Key Takeaways

  • fileless-malware requires behavioral detection, not file signatures: edr-xdr tools that monitor process execution, registry modifications, and network behavior are non-negotiable in 2026. Legacy antivirus alone is insufficient.

  • PowerShell is a high-risk attack surface: Restrict PowerShell via application-allowlisting, constrained-language-mode, execution-policies, and jea-just-enough-administration. Log all PowerShell execution, especially scripts loaded from registry or WMI sources.

  • WMI subscriptions create invisible persistence: Regularly audit WMI subscriptions and registry persistence locations (HKLM\RUN, HKCU\RUN, WMI subscriptions, Scheduled Tasks). Treat any unexpected entries as indicators of compromise.

  • Spear-phishing targeting high-value organizations requires specialized defense: Combine email authentication (spf, dkim, dmarc), sandboxed attachment detonation, and security-awareness-training to create defense-in-depth against targeted attacks.

  • Incident response plans must include indicators-of-compromise for memory-based malware: Organizations should maintain relationships with digital-forensics and incident-response specialists before compromise occurs, enabling rapid mobilization when fileless-malware is suspected.

Graph View

Backlinks