Quote:
Originally Posted by deroko
Actually if I remember correctly, a few years back some guys found bug in windows driver, and managed to store whole exploit/shellcode in wrongly parsed registry key (which driver parsed during boot). This could count as fileless persistent code 
I don't remember who did it, or how article or poc was named. Was long time ago, if somebody remembers would be awesome to post link |
The most famous fileless persistance was done by Poweliks, then by Kovter, and then by malware named Phase.
Poweliks: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377
Kovter: https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update
Phase: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3628