← Back to Blog

Detecting Fileless Malware with memfd_create

Fileless techniques are popular because they reduce disk artifacts. On Linux, one of the key primitives is memfd_create, which lets a process create anonymous in-memory files that can later be executed or injected.

How attackers abuse memfd_create

A common pattern:

  1. payload is fetched or decrypted in memory;
  2. payload is written to a memfd;
  3. payload is executed without touching the filesystem.

This avoids many classic “malicious file on disk” detections and complicates retrospective triage.

Why this is dangerous

Fileless execution can:

  • bypass file-based scanning and IOC workflows;
  • leave fewer forensic traces on disk;
  • enable fast in-memory staging and lateral movement.

Even short-lived payloads can do serious damage before disappearing.

How to detect with low noise

Not every memfd_create is malicious. System software uses it legitimately for IPC and runtime state. Effective detection requires:

  • alerting on suspicious process + memfd usage combinations;
  • suppressing known benign patterns (for example, expected system components);
  • keeping rule logic testable to avoid regressions.

SecureExec’s fileless_execution rule is designed for this balance, catching suspicious in-memory execution behavior while reducing common false positives.

How SecureExec helps investigations

SecureExec stores both alerts and related raw events in Elasticsearch, so responders can quickly answer:

  • which process created the memfd;
  • what parent process launched it;
  • what happened before and after in the same timeline.

That context is critical for proving whether activity is benign runtime behavior or attacker-controlled execution.

Move from guesswork to evidence

Fileless tradecraft is not going away. Add deterministic telemetry, real-time alerting, and historical traceability to your Linux detection stack.

Use SecureExec to detect suspicious memfd_create behavior and investigate incidents with confidence.