Goal

Detect the creation of memfd objects. Memfd objects may allow fileless process execution.

Strategy

Adversaries may leverage the creation of memory backed objects to conceal the execution of malicious payloads. Executing payloads directly in memory avoids creating files or other artifacts on disk.

Triage and response

1. Review the memfd object and parent process.
2. If the object is unexpected, determine the scope, identify enabling conditions, and gather incident indicators.
3. Declare an incident once it is determined the event meets organizational criteria for notification and reporting.
4. Attempt to contain the compromise. Containment actions may include isolation of the affected workload, disabling functions, or termination. The actions may vary depending on the severity of the incident and and the risk tolerance of your organization.

Requires Agent version 7.42 or greater