This artifact will parse /proc/*/exe files and look for processes that have been executed from memory via memfd_create()
name: Linux.Detection.MemFD
author: alternate
description: |
This artifact will parse /proc/*/exe files and look for processes
that have been executed from memory via memfd_create()
reference:
- https://github.com/4ltern4te/velociraptor-contrib/blob/main/Linux.Detection.MemFD/README.md
type: CLIENT
precondition: SELECT OS From info() where OS = "linux"
parameters:
- name: FileNameGlob
description: Glob pattern to search
default: "/proc/*/exe"
type: str
- name: SearchRegex
description: Pattern to match looking for memfd executions
default: ^\/memfd:.*?\(deleted\)
type: regex
sources:
- name: findMemFD
query: |
SELECT * FROM glob(globs=FileNameGlob, accessor='file') WHERE Data.Link =~ SearchRegex