https://detection.fyi/tags/attack.t1027.011/ Recent content in attack.t1027.011 on Detection.FYI Hugo -- gohugo.io Wed, 24 Jun 2026 16:46:33 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_susp_exec_from_dev_shm/ Wed, 24 Jun 2026 16:46:33 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_susp_exec_from_dev_shm/ Detects the execution of a binary from the Linux shared memory directory /dev/shm. This directory is a tmpfs mount backed entirely by RAM and is abused by attackers for fileless malware staging because files written there never touch physical disk and may evade disk-based detection.