Memory-Mapped Files: The Stealthy Cyberattack Technique Evading Detection

Listen to this Post

Featured Image

Introduction:

Memory-mapped files (MMFs) allow processes to access files directly via system memory, bypassing traditional file I/O operations. Cyber adversaries exploit this to evade logging and monitoring, making attacks harder to detect. Understanding MMF abuse is critical for defenders to enhance detection strategies.

Learning Objectives:

  • Learn how memory-mapped files bypass file system logging.
  • Discover detection techniques for MMF-based attacks.
  • Apply defensive measures to mitigate MMF exploitation.

You Should Know:

1. How Memory-Mapped Files Work

Windows Command:

 Create a memory-mapped file in PowerShell 
$mmf = [System.IO.MemoryMappedFiles.MemoryMappedFile]::CreateFromFile("C:\target.exe", "ReadWrite") 

Explanation:

This PowerShell snippet maps `target.exe` into memory, allowing stealthy modifications without triggering file-write logs. Attackers use this to hide malicious payloads in legitimate processes.

2. Detecting Malicious MMF Usage

Linux Command:

 List memory-mapped files of a process 
sudo pmap -X <PID> 

Explanation:

`pmap` reveals memory regions mapped by a process. Unusual executable mappings (e.g., non-standard paths) may indicate exploitation.

3. Monitoring MMF Activity with Sysmon

Windows Sysmon Configuration:

<RuleGroup name="MMF Monitoring"> 
<FileCreate onmatch="include"> 
<TargetFilename condition="contains">.dat</TargetFilename> 
</FileCreate> 
</RuleGroup> 

Explanation:

Sysmon logs file creation events, but MMFs often evade this. Custom rules help flag suspicious memory-mapped file interactions.

4. Analyzing MMFs with Volatility (Memory Forensics)

Volatility Command:

volatility -f memory.dump --profile=Win10x64_19041 memmap 

Explanation:

This command extracts memory-mapped file artifacts from a dump, revealing hidden malicious payloads.

5. Hardening Against MMF Exploits

Windows GPO Mitigation:

 Disable unnecessary memory-mapped I/O 
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "ProtectionMode" -Value 1 

Explanation:

Enabling `ProtectionMode` restricts untrusted memory mappings, reducing attack surfaces.

What Undercode Say:

  • Key Takeaway 1: Memory-mapped files are a powerful evasion tool, requiring advanced monitoring beyond filesystem logs.
  • Key Takeaway 2: Combining Sysmon, memory forensics, and least-privilege policies is essential for detection.

Analysis:

As adversaries refine fileless techniques, defenders must shift focus to memory-based detection. Traditional AV solutions often miss MMF abuse, making behavioral analysis and EDR tools critical. Future attacks may leverage MMFs in ransomware to bypass backups, escalating the need for real-time memory monitoring.

Prediction:

Memory-mapped file attacks will grow as malware authors adopt fileless techniques. Organizations investing in memory forensics and anomaly-based detection will lead in mitigating these stealthy threats.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Sam Bent – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky