Binary Executed from Shared Memory Directory
Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/05/10"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/24"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/,
13/var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed
14executables used for persistence on high-uptime servers in these directories as system backdoors.
15"""
16false_positives = [
17 """
18 Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a
19 mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting
20 file systems in legitimate purposes.
21 """,
22]
23from = "now-9m"
24index = ["logs-endpoint.events.*", "endgame-*"]
25language = "eql"
26license = "Elastic License v2"
27name = "Binary Executed from Shared Memory Directory"
28references = [
29 "https://linuxsecurity.com/features/fileless-malware-on-linux",
30 "https://twitter.com/GossiTheDog/status/1522964028284411907",
31 "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
32]
33risk_score = 73
34rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce"
35severity = "high"
36tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
42process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and
43not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*") and
44user.id == "0"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1059"
52name = "Command and Scripting Interpreter"
53reference = "https://attack.mitre.org/techniques/T1059/"
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Process Started from Process ID (PID) File
- BPF filter applied using TC
- Cron Job Created or Changed by Previously Unknown Process
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python