Process Execution From Shared Memory Directory

Original Source: [Sigma source]
Title: Process Execution From Shared Memory Directory
Status: experimental
Description:Detects the execution of a binary from the Linux shared memory directory /dev/shm. This directory is a tmpfs mount backed entirely by RAM and is abused by attackers for fileless malware staging because files written there never touch physical disk and may evade disk-based detection.
References:
  -https://www.sysdig.com/blog/containers-read-only-fileless-malware
   -https://unfinished.bike/fun-with-the-new-bpfdoor-2023
   -https://asiapacificdefencereporter.com/wp-content/uploads/2023/08/Final-CRWD-2023-Threat-Hunting-Report.pdf
   -https://www.crowdstrike.com/en-us/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
   -https://www.linkedin.com/posts/avradeep_malware-apt-infostealer-activity-7373203959697719296-JR-7
   -https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/
 Author: Stan Beukers
Date: 2026-06-20
modified:None
Tags:
  • -'attack.stealth'
  • -'attack.execution'
  • -'attack.t1027.011'
Logsource:
  • category: process_creation
  • product: linux
Detection:
  selection:
    Image|startswith: '/dev/shm/'
  condition:selection
Falsepositives:
  -Unlikely in production environments; some container runtimes or IPC frameworks may use /dev/shm for inter-process communication but should not spawn executables.
Level: high

© 2024 DetectionCode Website. All Rights Reserved.