Memfd object created

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1620-reflective-code-loading

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect the creation of memfd objects. Memfd objects may allow fileless process execution.

Strategy

Adversaries may leverage the creation of memory backed objects to conceal the execution of malicious payloads. Executing payloads directly in memory avoids creating files or other artifacts on disk.

Triage and response

  1. Review the memfd object and parent process.
  2. If the object is unexpected, determine the scope, identify enabling conditions, and gather incident indicators.
  3. Declare an incident once it is determined the event meets organizational criteria for notification and reporting.
  4. Attempt to contain the compromise. Containment actions may include isolation of the affected workload, disabling functions, or termination. The actions may vary depending on the severity of the incident and and the risk tolerance of your organization.

Requires Agent version 7.42 or greater