Process Execution From Shared Memory Directory

calendar Jun 24, 2026 · attack.stealth attack.execution attack.t1027.011  ·
Share on: linkedin copy

Detects the execution of a binary from the Linux shared memory directory /dev/shm. This directory is a tmpfs mount backed entirely by RAM and is abused by attackers for fileless malware staging because files written there never touch physical disk and may evade disk-based detection.

Sigma rule (View on GitHub)

 1title: Process Execution From Shared Memory Directory
 2id: 5cd16c8f-44a6-4654-81e7-a84d6db507d4
 3status: experimental
 4description: |
 5    Detects the execution of a binary from the Linux shared memory directory /dev/shm.
 6    This directory is a tmpfs mount backed entirely by RAM and is abused by attackers for fileless malware staging because files written there never touch physical disk and may evade disk-based detection.    
 7references:
 8    - https://www.sysdig.com/blog/containers-read-only-fileless-malware
 9    - https://unfinished.bike/fun-with-the-new-bpfdoor-2023
10    - https://asiapacificdefencereporter.com/wp-content/uploads/2023/08/Final-CRWD-2023-Threat-Hunting-Report.pdf
11    - https://www.crowdstrike.com/en-us/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
12    - https://www.linkedin.com/posts/avradeep_malware-apt-infostealer-activity-7373203959697719296-JR-7
13    - https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/
14author: Stan Beukers
15date: 2026-06-20
16tags:
17    - attack.stealth
18    - attack.execution
19    - attack.t1027.011
20logsource:
21    category: process_creation
22    product: linux
23detection:
24    selection:
25        Image|startswith: '/dev/shm/'
26    condition: selection
27falsepositives:
28    - Unlikely in production environments; some container runtimes or IPC frameworks may use /dev/shm for inter-process communication but should not spawn executables.
29level: high

References

  • Fileless malware mitigation | Sysdig

    A read-only file system will not provide adequate protection to mitigate all vulnerabilities exploited via fileless malware techniques.


    Read More

  • Fun with the new bpfdoor (2023)

    I was recently provided a sample of the recently announced stealthier variant of bpfdoor, malware targeting Linux that is almost certainl...


    Read More

  • ·ÝbÖ²$¥×àòÞÞî§OÂ'}â®™\e#aHc€ÑŒêª¸ˆ\&•ÈԸѪgYŠ$TjL¡28l4(±h·�#P9ŒÉaå¿uŒ¸ì& ò ®³ëÔ“ ArÒY­ñõl†RÁæôY¶ÃsË-¾UŠÎMúÕd±ZÉzíZzðñ3ù¬ãyÐ#6›Ù�Wµ%v†oDö�—kçåZÊ°Tõ|û"xÕ=5¬�’)%Ýbq¿Xá&óx4³i2ÍgòÍv...


    Read More

  • How to Hunt for DecisiveArchitect and Its JustForFun Implant | CrowdStrike

    CrowdStrike outlines the best methods to hunt for the JustForFun implant used by DecisiveArchitect to target global telecommunications companies.


    Read More

  • Why attackers prefer /dev/shm over /tmp: a cybersecurity risk | Avradeep Bhattacharya posted on the topic | LinkedIn

    🤔 Ever wondered why attackers love "/dev/shm" even more than /tmp? Because it’s not just temporary storage, it’s shared memory mapped as executable by default on many Linux systems. As a result malicious payloads can live entirely in memory, leaving almost no trace on disk. To make matters worse: 👉 Traditional file integrity monitoring tools often skip it. 👉 Memory-resident malware in /dev/shm can survive long enough to exfiltrate data or escalate privileges. 👉 Many admins secure /tmp, but forget /dev/shm is just as dangerous. Quick wins to harden it: ✅ Remount /dev/shm with noexec,nosuid,nodev. ✅ Monitor processes mapping executable pages from shared memory. ✅ Treat /dev/shm with the same scrutiny you give /tmp. Sometimes the most dangerous backdoors aren’t hidden deep in code — they’re right in the filesystem we all take for granted. #malware #apt #infostealer #ransomware #bug #linux #cybersecurity #infosec #security #payload #bug #security #technology #engineering #boredtoolbox


    Read More

  • https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/


    Read More

Related rules

to-top