This post describes a novel technique combining osquery, YARA, and the Linux /proc filesystem to detect fileless and in-memory malware on Linux systems.
•osquery's YARA table requires a mandatory file_path argument, making it unable to scan processes with no backing file on disk
•The /proc/<pid>/map_files/ directory exposes a process's memory-mapped regions as virtual files, satisfying the file_path requirement
•Processes where on_disk=0 can be identified via osquery's processes table to surface orphaned or unlinked executables
•A SQL sub-SELECT dynamically generates suspicious PIDs and uses SQLITE CONCAT to craft file_path arguments for YARA scanning
•The technique is demonstrated by detecting the Sliver C2 post-exploitation framework running in-memory using open-source YARA rules
