Memfd object created

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect the creation of memfd objects. Memfd objects may allow fileless process execution.

Strategy

Adversaries may leverage the creation of memory backed objects to conceal the execution of malicious payloads. Executing payloads directly in memory avoids creating files or other artifacts on disk.

Triage and response

  1. Review the memfd object and parent process.
  2. If the object is unexpected, determine the scope, identify enabling conditions, and gather incident indicators.
  3. Declare an incident once it is determined the event meets organizational criteria for notification and reporting.
  4. Attempt to contain the compromise. Containment actions may include isolation of the affected workload, disabling functions, or termination. The actions may vary depending on the severity of the incident and and the risk tolerance of your organization.

Requires Agent version 7.42 or greater