What does FILELESS TTP mean?

The Fileless TTP is something that can apply to most script interpreters, such as Python, Powershell, Ruby, etc. Due to the wide range of interpreters, the details are necessarily different for each, but essentially we look for indicators of a command line execution of arbitrary input. For Powershell, -command is one such indicator.

Fileless behavior can be an indicator of compromise but also occurs in perfectly legitimate applications. If it is an on disk script subsequently performing fileless activity, this model is also common to malicious code. The TTP: FILELESS is appropriate in this case even though the script is not itself malicious.