Binary Executed from Shared Memory Directory

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ExecutionThreat: BPFDoorData Source: Elastic EndgameData Source: Elastic DefendLanguage: eql

Severity

high

Risk Score

73

MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

False Positive Examples

Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

endgame-*logs-endpoint.events.process*

Related Integrations

endpoint(opens in a new tab or window)

Query

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
user.id == "0" and process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and
not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*",
"/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init"